" certificate: " << e.what() << "; will now block to " <<
"validate that certificate.");
// fall through to do blocking in-process generation.
+ ErrorState *anErr = new ErrorState(ERR_GATEWAY_FAILURE, HTTP_INTERNAL_SERVER_ERROR, request);
+ fail(anErr);
+ if (serverConnection()->getPeer()) {
+ peerConnectFailed(serverConnection()->getPeer());
+ }
+ serverConn->close();
+ self = NULL;
+ return;
}
}
#endif // USE_SSL_CERT_VALIDATOR
{
Ssl::Errors *errs = NULL;
Ssl::ErrorDetail *errDetails = NULL;
+ bool validatorFailed = false;
if (!Comm::IsConnOpen(serverConnection())) {
return;
}
if (!reply) {
debugs(83, 1, HERE << "\"ssl_crtd\" helper return <NULL> reply");
+ validatorFailed = true;
} else {
Ssl::CertValidateMessage reply_message;
Ssl::ValidateCertificateResponse resp;
std::string error;
+ STACK_OF(X509) *peerCerts = SSL_get_peer_cert_chain(ssl);
if (reply_message.parse(reply, strlen(reply)) != Ssl::CrtdMessage::OK ||
- !reply_message.parseResponse(resp, error) ) {
+ !reply_message.parseResponse(resp, peerCerts, error) ) {
debugs(83, 5, HERE << "Reply from ssl_crtvd for " << request->GetHost() << " is incorrect");
+ validatorFailed = true;
} else {
if (reply_message.getCode() != "OK") {
debugs(83, 5, HERE << "Certificate for " << request->GetHost() << " cannot be validated. ssl_crtvd response: " << reply_message.getBody());
+ validatorFailed = true;
} else {
debugs(83, 5, HERE << "Certificate for " << request->GetHost() << " was successfully validated from ssl_crtvd");
- // Copy the list of errors etc....
ACLFilledChecklist *check = NULL;
if (acl_access *acl = Config.ssl_client.cert_error) {
check = new ACLFilledChecklist(acl, request, dash_str);
for(std::vector<Ssl::ValidateCertificateResponse::ErrorItem>::const_iterator i = resp.errors.begin(); i != resp.errors.end(); ++i) {
- debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason << " " << i->certId);
+ debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason);
if (i->error_no == SSL_ERROR_NONE)
continue; //ignore????
debugs(83, 3, "bypassing SSL error " << i->error_no << " in " << "buffer");
} else {
debugs(83, 5, "confirming SSL error " << i->error_no);
- STACK_OF(X509) *peerCerts = SSL_get_peer_cert_chain(ssl);
- //if i->certID is not correct sk_X509_value returns NULL
- X509 *brokenCert = NULL;
- if (i->cert != NULL)
- brokenCert = i->cert;
- else
- brokenCert = sk_X509_value(peerCerts, i->certId);
+ X509 *brokenCert = (i->cert ? i->cert : NULL);
X509 *peerCert = SSL_get_peer_certificate(ssl);
const char *aReason = i->error_reason.empty() ? NULL : i->error_reason.c_str();
errDetails = new Ssl::ErrorDetail(i->error_no, peerCert, brokenCert, aReason);
}
}
}
- // Check the list error with
- if (errDetails && request->clientConnectionManager.valid()) {
- // remember the server certificate from the ErrorDetail object
- if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) {
- // remember validation errors, if any
- if (errs) {
- if (serverBump->sslErrors)
- cbdataReference(serverBump->sslErrors);
- serverBump->sslErrors = cbdataReference(errs);
+
+ ErrorState *anErr = NULL;
+ if (validatorFailed) {
+ anErr = new ErrorState(ERR_GATEWAY_FAILURE, HTTP_INTERNAL_SERVER_ERROR, request);
+ } else {
+
+ // Check the list error with
+ if (errDetails && request->clientConnectionManager.valid()) {
+ // remember the server certificate from the ErrorDetail object
+ if (Ssl::ServerBump *serverBump = request->clientConnectionManager->serverBump()) {
+ // remember validation errors, if any
+ if (errs) {
+ if (serverBump->sslErrors)
+ cbdataReference(serverBump->sslErrors);
+ serverBump->sslErrors = cbdataReference(errs);
+ }
}
}
+
+ anErr = makeConnectingError(ERR_SECURE_CONNECT_FAIL);
+ anErr->detail = errDetails;
+ /*anErr->xerrno= Should preserved*/
}
- ErrorState *const anErr = makeConnectingError(ERR_SECURE_CONNECT_FAIL);
- anErr->detail = errDetails;
- /*anErr->xerrno= Should preserved*/
fail(anErr);
if (serverConnection()->getPeer()) {
peerConnectFailed(serverConnection()->getPeer());
#include "squid.h"
+#include "acl/FilledChecklist.h"
#include "ssl/support.h"
#include "ssl/cert_validate_message.h"
#include "ssl/ErrorDetail.h"
return strtol(e, 0 , 10);
}
-bool Ssl::CertValidateMessage::parseResponse(ValidateCertificateResponse &resp, std::string &error)
+bool Ssl::CertValidateMessage::parseResponse(ValidateCertificateResponse &resp, STACK_OF(X509) *peerCerts, std::string &error)
{
int current_errorId = -1;
std::vector<Ssl::ValidateCertificateResponse::CertItem> certs;
}
}
if (!currentItem.cert) {
- currentItem.certId = get_error_id(v.c_str(), v.length());
- debugs(83, 6, HERE << "Cert ID read:" << currentItem.certId);
+ int certId = get_error_id(v.c_str(), v.length());
+ //if certId is not correct sk_X509_value returns NULL
+ currentItem.setCert(sk_X509_value(peerCerts, certId));
+ debugs(83, 6, HERE << "Cert ID read:" << certId);
}
}
Ssl::ValidateCertificateResponse::ErrorItem::ErrorItem(const ErrorItem &old) {
error_no = old.error_no;
error_reason = old.error_reason;
- certId = old.certId;
cert = NULL;
setCert(old.cert);
}
Ssl::ValidateCertificateResponse::ErrorItem & Ssl::ValidateCertificateResponse::ErrorItem::operator = (const ErrorItem &old) {
error_no = old.error_no;
error_reason = old.error_reason;
- certId = old.certId;
setCert(old.cert);
return *this;
}
Ssl::ValidateCertificateResponse::ErrorItem::clear() {
error_no = SSL_ERROR_NONE;
error_reason = "";
- certId = 0;
if (cert)
X509_free(cert);
cert = NULL;