Do not assert if we fail to compose ssl_crtd request. Do blocking generation.

Users report assertions when OpenSSL fails to write a true server certificate
to to memory. Since that certificate is received from a 3rd party, we should
not assert that it is writeable. Besides, OpenSSL may have limitations/bugs
even if dealing with valid certificates.

If we fail to componse a request, we now try the good old blocking in-process
certificate generation.

Currently, it is not known what exactly causes OpenSSL to fail as we are
unable to trigger the assertion in a controlled test.

diff --git a/src/client_side.cc b/src/client_side.cc
index 139185f29fb01a3544cb829d6c5f3c7188b99133..c24364564a73727d35639bc1af9081822e36b787 100644 (file)
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -3781,6 +3781,7 @@ ConnStateData::getSslContextStart()
         }
 
 #if USE_SSL_CRTD
+        try {
         debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName << " using ssl_crtd.");
         Ssl::CrtdMessage request_message;
         request_message.setCode(Ssl::CrtdMessage::code_new_certificate);
@@ -3788,12 +3789,20 @@ ConnStateData::getSslContextStart()
         debugs(33, 5, HERE << "SSL crtd request: " << request_message.compose().c_str());
         Ssl::Helper::GetInstance()->sslSubmit(request_message, sslCrtdHandleReplyWrapper, this);
         return;
-#else
+        }
+        catch (const std::exception &e) {
+            debugs(33, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtd " <<
+                   "request for " << certProperties.commonName <<
+                   " certificate: " << e.what() << "; will now block to " <<
+                   "generate that certificate.");
+            // fall through to do blocking in-process generation.
+        }
+#endif // USE_SSL_CRTD
+
         debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName);
         dynCtx = Ssl::generateSslContext(certProperties);
         getSslContextDone(dynCtx, true);
         return;
-#endif //USE_SSL_CRTD
     }
     getSslContextDone(NULL);
 }

diff --git a/src/ssl/crtd_message.cc b/src/ssl/crtd_message.cc
index 6abe65d58252bd6b7b35f5e931dbe059a69483cc..48c4c50af641f85573625a38ee22bcef311deb7e 100644 (file)
--- a/src/ssl/crtd_message.cc
+++ b/src/ssl/crtd_message.cc
@@ -11,6 +11,9 @@
 #if HAVE_CSTRING
 #include <cstring>
 #endif
+#if HAVE_STDEXCEPT
+#include <stdexcept>
+#endif
 
 Ssl::CrtdMessage::CrtdMessage()
         :   body_size(0), state(BEFORE_CODE)
@@ -242,11 +245,11 @@ void Ssl::CrtdMessage::composeRequest(Ssl::CertificateProperties const &certProp
         body +=  "\n" +  Ssl::CrtdMessage::param_Sign + "=" +  certSignAlgorithm(certProperties.signAlgorithm);
 
     std::string certsPart;
-    bool ret = Ssl::writeCertAndPrivateKeyToMemory(certProperties.signWithX509, certProperties.signWithPkey, certsPart);
-    assert(ret);
+    if (!Ssl::writeCertAndPrivateKeyToMemory(certProperties.signWithX509, certProperties.signWithPkey, certsPart) || true)
+        throw std::runtime_error("Ssl::writeCertAndPrivateKeyToMemory()");
     if (certProperties.mimicCert.get()) {
-        ret = Ssl::appendCertToMemory(certProperties.mimicCert, certsPart);
-        assert(ret);
+        if (!Ssl::appendCertToMemory(certProperties.mimicCert, certsPart))
+            throw std::runtime_error("Ssl::appendCertToMemory()");
     }
     body += "\n" + certsPart;
 }

diff --git a/src/ssl/crtd_message.h b/src/ssl/crtd_message.h
index af6e084fe844b01cb14eeae5c0686a24da1e7fe1..7891ace37659cf04392e599dec427e1116017207 100644 (file)
--- a/src/ssl/crtd_message.h
+++ b/src/ssl/crtd_message.h
@@ -65,7 +65,7 @@ public:
     void composeBody(BodyParams const & map, std::string const & other_part);
 
     bool parseRequest(Ssl::CertificateProperties &, std::string &error);
-    void composeRequest(Ssl::CertificateProperties const &);
+    void composeRequest(Ssl::CertificateProperties const &); // throws
 
     /// String code for "new_certificate" messages
     static const std::string code_new_certificate;