Fix server_cert_fingerprint on cert validator-reported errors (#522)

The server_cert_fingerprint ACL mismatched when sslproxy_cert_error
directive was applied to validation errors reported by the certificate
validator because the ACL could not find the server certificate.

This is a Measurement Factory project.

diff --git a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h
index f9bb7b67fb4628a4888771e8dc4f4653a295ce83..cf2b3ea0917d14521a29bf682a1070dd5d634419 100644 (file)
--- a/src/acl/FilledChecklist.h
+++ b/src/acl/FilledChecklist.h
@@ -89,7 +89,10 @@ public:
 
     /// SSL [certificate validation] errors, in undefined order
     const Security::CertErrors *sslErrors;
-    /// The peer certificate
+
+    /// Peer certificate being checked by ssl_verify_cb() and by
+    /// Security::PeerConnector class. In other contexts, the peer
+    /// certificate is retrieved via ALE or ConnStateData::serverBump.
     Security::CertPointer serverCert;
 
     AccessLogEntry::Pointer al; ///< info for the future access.log, and external ACL

diff --git a/src/acl/ServerCertificate.cc b/src/acl/ServerCertificate.cc
index 1246306d37df3364d5cb6d6c77f3d2b06fc96247..f5aeafde9fc9a20421183f843c9dba9d504521c1 100644 (file)
--- a/src/acl/ServerCertificate.cc
+++ b/src/acl/ServerCertificate.cc
@@ -24,7 +24,10 @@ ACLServerCertificateStrategy::match(ACLData<MatchType> * &data, ACLFilledCheckli
     Security::CertPointer cert;
     if (checklist->serverCert)
         cert = checklist->serverCert;
-    else if (checklist->conn() != NULL && checklist->conn()->serverBump())
+    else if (checklist->al && Comm::IsConnOpen(checklist->al->hier.tcpServer)) {
+        const auto ssl = fd_table[checklist->al->hier.tcpServer->fd].ssl.get();
+        cert.resetWithoutLocking(SSL_get_peer_certificate(ssl));
+    } else if (checklist->conn() && checklist->conn()->serverBump())
         cert = checklist->conn()->serverBump()->serverCert;
 
     if (!cert)

diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc
index f088371b2b014456f13cd575470c518ea027043d..072d69ae697a5638bdec7ff15db08c6703c8db5b 100644 (file)
--- a/src/security/PeerConnector.cc
+++ b/src/security/PeerConnector.cc
@@ -309,14 +309,16 @@ Security::CertErrors *
 Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails)
 {
     ACLFilledChecklist *check = NULL;
+    Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
+
     if (acl_access *acl = ::Config.ssl_client.cert_error) {
         check = new ACLFilledChecklist(acl, request.getRaw(), dash_str);
         check->al = al;
         check->syncAle(request.getRaw(), nullptr);
+        check->serverCert.resetWithoutLocking(SSL_get_peer_certificate(session.get()));
     }
 
     Security::CertErrors *errs = nullptr;
-    Security::SessionPointer session(fd_table[serverConnection()->fd].ssl);
     typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI;
     for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) {
         debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason);