(PUP-8213) Display correct message when certname is mismatched

[joshcooper]

Previously, if the server's cert did not match the hostname we tried to connect
to, puppet would output a confusing message:

certificate verify failed: [ok for /CN=XXX]

This occurs because ruby 2.4 introduced a new security feature whereby the cert
is automatically verified during the call to SSLSocket#connect[1]. In earlier
ruby versions, the application had to call SSLSocket#post_connection_check,
but of course, many people forgot to, or didn't know they had to, leading to
MITM vulnerabilities.

However, when a mismatch occurs, ruby 2.4 invokes our verify_callback with
preverify_ok=false, but store_context.error=0 which is OpenSSL::SSL::V_OK.
Ruby then raises an SSLError whose message is 'certificate verify failed',
which matches the first "if" statement in our error handler.

This commit changes the order so that if an SSLError is rescued, we
check to see if there's a host mismatch first. If not, we check if there
were any verify errors, or raise the original error.

This change is compatible with ruby versions prior to 2.4, because both
SSLSocket#post_connection_check and our error handler use
OpenSSL::SSL.verify_certificate_identity to detect the certname mismatch.

[1] ruby/openssl#60

[joshcooper]

$ bx ruby --version
ruby 2.5.3p105 (2018-10-18 revision 65156) [x86_64-darwin18]
$ bx puppet catalog find --server puppet-evil --terminus rest
Error: Could not call 'find' on 'catalog': Server hostname 'puppet-evil' did not match server certificate; expected one of puppet, DNS:puppet, DNS:puppet.delivery.puppetlabs.net

[joshcooper]

jenkins please test this with servertests

[puppetcla]

CLA signed by all contributors.

[justinstoller]

@reidmv , I think you recently mentioned a similar/same problem in Slack.

[joshcooper]

Also normal agent run where puppet-evil maps to the IP of my puppetserver in /etc/hosts:

$ bx puppet agent -t --server puppet-evil
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: Server hostname 'puppet-evil' did not match server certificate; expected one of puppet, DNS:puppet, DNS:puppet.delivery.puppetlabs.net
Info: Retrieving pluginfacts
Error: /File[/Users/josh/.puppetlabs/opt/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': Server hostname 'puppet-evil' did not match server certificate; expected one of puppet, DNS:puppet, DNS:puppet.delivery.puppetlabs.net
Error: /File[/Users/josh/.puppetlabs/opt/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: Server hostname 'puppet-evil' did not match server certificate; expected one of puppet, DNS:puppet, DNS:puppet.delivery.puppetlabs.net
Info: Retrieving plugin
Error: /File[/Users/josh/.puppetlabs/opt/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': Server hostname 'puppet-evil' did not match server certificate; expected one of puppet, DNS:puppet, DNS:puppet.delivery.puppetlabs.net
Error: /File[/Users/josh/.puppetlabs/opt/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: Server hostname 'puppet-evil' did not match server certificate; expected one of puppet, DNS:puppet, DNS:puppet.delivery.puppetlabs.net
Error: Could not retrieve catalog from remote server: Server hostname 'puppet-evil' did not match server certificate; expected one of puppet, DNS:puppet, DNS:puppet.delivery.puppetlabs.net
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: Server hostname 'puppet-evil' did not match server certificate; expected one of puppet, DNS:puppet, DNS:puppet.delivery.puppetlabs.net

The fact that the agent keeps continuing after node, pluginsync, etc failures is long standing behavior. Would be good to fix that later, eg https://tickets.puppetlabs.com/browse/PUP-1763