From fab3a82599e427419d1ed5f11e3c99156b703bfb Mon Sep 17 00:00:00 2001 From: Christos Tsantilas Date: Wed, 25 Dec 2019 17:21:30 +0000 Subject: [PATCH] Fix server_cert_fingerprint on cert validator-reported errors (#522) The server_cert_fingerprint ACL mismatched when sslproxy_cert_error directive was applied to validation errors reported by the certificate validator because the ACL could not find the server certificate. This is a Measurement Factory project. --- src/acl/FilledChecklist.h | 5 ++++- src/acl/ServerCertificate.cc | 5 ++++- src/security/PeerConnector.cc | 4 +++- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h index f9bb7b67fb..cf2b3ea091 100644 --- a/src/acl/FilledChecklist.h +++ b/src/acl/FilledChecklist.h @@ -89,7 +89,10 @@ public: /// SSL [certificate validation] errors, in undefined order const Security::CertErrors *sslErrors; - /// The peer certificate + + /// Peer certificate being checked by ssl_verify_cb() and by + /// Security::PeerConnector class. In other contexts, the peer + /// certificate is retrieved via ALE or ConnStateData::serverBump. Security::CertPointer serverCert; AccessLogEntry::Pointer al; ///< info for the future access.log, and external ACL diff --git a/src/acl/ServerCertificate.cc b/src/acl/ServerCertificate.cc index 1246306d37..f5aeafde9f 100644 --- a/src/acl/ServerCertificate.cc +++ b/src/acl/ServerCertificate.cc @@ -24,7 +24,10 @@ ACLServerCertificateStrategy::match(ACLData * &data, ACLFilledCheckli Security::CertPointer cert; if (checklist->serverCert) cert = checklist->serverCert; - else if (checklist->conn() != NULL && checklist->conn()->serverBump()) + else if (checklist->al && Comm::IsConnOpen(checklist->al->hier.tcpServer)) { + const auto ssl = fd_table[checklist->al->hier.tcpServer->fd].ssl.get(); + cert.resetWithoutLocking(SSL_get_peer_certificate(ssl)); + } else if (checklist->conn() && checklist->conn()->serverBump()) cert = checklist->conn()->serverBump()->serverCert; if (!cert) diff --git a/src/security/PeerConnector.cc b/src/security/PeerConnector.cc index f088371b2b..072d69ae69 100644 --- a/src/security/PeerConnector.cc +++ b/src/security/PeerConnector.cc @@ -309,14 +309,16 @@ Security::CertErrors * Security::PeerConnector::sslCrtvdCheckForErrors(Ssl::CertValidationResponse const &resp, Ssl::ErrorDetail *& errDetails) { ACLFilledChecklist *check = NULL; + Security::SessionPointer session(fd_table[serverConnection()->fd].ssl); + if (acl_access *acl = ::Config.ssl_client.cert_error) { check = new ACLFilledChecklist(acl, request.getRaw(), dash_str); check->al = al; check->syncAle(request.getRaw(), nullptr); + check->serverCert.resetWithoutLocking(SSL_get_peer_certificate(session.get())); } Security::CertErrors *errs = nullptr; - Security::SessionPointer session(fd_table[serverConnection()->fd].ssl); typedef Ssl::CertValidationResponse::RecvdErrors::const_iterator SVCRECI; for (SVCRECI i = resp.errors.begin(); i != resp.errors.end(); ++i) { debugs(83, 7, "Error item: " << i->error_no << " " << i->error_reason); -- 2.47.2