From: Alex Rousskov Date: Thu, 8 Mar 2012 01:50:04 +0000 (-0700) Subject: Do not assert if we fail to compose ssl_crtd request. Do blocking generation. X-Git-Tag: BumpSslServerFirst.take06~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=00fc192d0fc07257f60477a20459a079c9034b39;p=thirdparty%2Fsquid.git Do not assert if we fail to compose ssl_crtd request. Do blocking generation. Users report assertions when OpenSSL fails to write a true server certificate to to memory. Since that certificate is received from a 3rd party, we should not assert that it is writeable. Besides, OpenSSL may have limitations/bugs even if dealing with valid certificates. If we fail to componse a request, we now try the good old blocking in-process certificate generation. Currently, it is not known what exactly causes OpenSSL to fail as we are unable to trigger the assertion in a controlled test. --- diff --git a/src/client_side.cc b/src/client_side.cc index 139185f29f..c24364564a 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -3781,6 +3781,7 @@ ConnStateData::getSslContextStart() } #if USE_SSL_CRTD + try { debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName << " using ssl_crtd."); Ssl::CrtdMessage request_message; request_message.setCode(Ssl::CrtdMessage::code_new_certificate); @@ -3788,12 +3789,20 @@ ConnStateData::getSslContextStart() debugs(33, 5, HERE << "SSL crtd request: " << request_message.compose().c_str()); Ssl::Helper::GetInstance()->sslSubmit(request_message, sslCrtdHandleReplyWrapper, this); return; -#else + } + catch (const std::exception &e) { + debugs(33, DBG_IMPORTANT, "ERROR: Failed to compose ssl_crtd " << + "request for " << certProperties.commonName << + " certificate: " << e.what() << "; will now block to " << + "generate that certificate."); + // fall through to do blocking in-process generation. + } +#endif // USE_SSL_CRTD + debugs(33, 5, HERE << "Generating SSL certificate for " << certProperties.commonName); dynCtx = Ssl::generateSslContext(certProperties); getSslContextDone(dynCtx, true); return; -#endif //USE_SSL_CRTD } getSslContextDone(NULL); } diff --git a/src/ssl/crtd_message.cc b/src/ssl/crtd_message.cc index 6abe65d582..48c4c50af6 100644 --- a/src/ssl/crtd_message.cc +++ b/src/ssl/crtd_message.cc @@ -11,6 +11,9 @@ #if HAVE_CSTRING #include #endif +#if HAVE_STDEXCEPT +#include +#endif Ssl::CrtdMessage::CrtdMessage() : body_size(0), state(BEFORE_CODE) @@ -242,11 +245,11 @@ void Ssl::CrtdMessage::composeRequest(Ssl::CertificateProperties const &certProp body += "\n" + Ssl::CrtdMessage::param_Sign + "=" + certSignAlgorithm(certProperties.signAlgorithm); std::string certsPart; - bool ret = Ssl::writeCertAndPrivateKeyToMemory(certProperties.signWithX509, certProperties.signWithPkey, certsPart); - assert(ret); + if (!Ssl::writeCertAndPrivateKeyToMemory(certProperties.signWithX509, certProperties.signWithPkey, certsPart) || true) + throw std::runtime_error("Ssl::writeCertAndPrivateKeyToMemory()"); if (certProperties.mimicCert.get()) { - ret = Ssl::appendCertToMemory(certProperties.mimicCert, certsPart); - assert(ret); + if (!Ssl::appendCertToMemory(certProperties.mimicCert, certsPart)) + throw std::runtime_error("Ssl::appendCertToMemory()"); } body += "\n" + certsPart; } diff --git a/src/ssl/crtd_message.h b/src/ssl/crtd_message.h index af6e084fe8..7891ace376 100644 --- a/src/ssl/crtd_message.h +++ b/src/ssl/crtd_message.h @@ -65,7 +65,7 @@ public: void composeBody(BodyParams const & map, std::string const & other_part); bool parseRequest(Ssl::CertificateProperties &, std::string &error); - void composeRequest(Ssl::CertificateProperties const &); + void composeRequest(Ssl::CertificateProperties const &); // throws /// String code for "new_certificate" messages static const std::string code_new_certificate;