inn-CURRENT-20160416/nnrpd issue

Julien ÉLIE julien at trigofacile.com
Sun Apr 17 09:47:24 UTC 2016


The Doctor,

>> Could you please try:
>>
>> switch (X509_STORE_CTX_get_error(ctx)) {
>>    case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
>>
>> X509_NAME_oneline(X509_get_issuer_name(X509_STORE_CTX_get_current_cert(ctx)),
>> buf, sizeof(buf));
>>
>> and tell us whether nnrpd builds better with that change?
> 
> That does the think and it works fine.
> 
> Please somehow commit.

OK, thanks for the confirmation.
I've seen in the documentation of X509_STORE_CTX_get_error() that
"In versions of OpenSSL before 1.0 the current certificate returned
by X509_STORE_CTX_get_current_cert() was never NULL.  Applications
should check the return value before printing out any debugging
information relating to the current certificate."

so here is a complete patch.  In the switch part, err_cert is not NULL
because otherwise the error would have been different than
X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT.


--- tls.c	(révision 9987)
+++ tls.c	(copie de travail)
@@ -244,9 +244,13 @@
     err = X509_STORE_CTX_get_error(ctx);
     depth = X509_STORE_CTX_get_error_depth(ctx);
 
-    X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
-    if ((tls_serveractive) && (tls_loglevel >= 1))
-      Printf("Peer cert verify depth=%d %s", depth, buf);
+    if (err_cert != NULL) {
+        X509_NAME_oneline(X509_get_subject_name(err_cert), buf, sizeof(buf));
+        if ((tls_serveractive) && (tls_loglevel >= 1)) {
+            Printf("Peer cert verify depth=%d %s", depth, buf);
+        }
+    }
+    
     if (ok==0)
     {
       syslog(L_NOTICE, "verify error:num=%d:%s", err,
@@ -260,9 +264,10 @@
 	    verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
 	}
     }
-    switch (ctx->error) {
+
+    switch (err) {
     case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
-	X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof(buf));
+	X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
 	syslog(L_NOTICE, "issuer= %s", buf);
 	break;
     case X509_V_ERR_CERT_NOT_YET_VALID:



I'll commit it soon.

-- 
Julien ÉLIE

« Je sens que ma dernière hure est proche ! » (Astérix)


More information about the inn-workers mailing list