Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
Sign upCRL loading fails due to incorrect return code check #5040
Comments
smarsching
added a commit
to smarsching/icinga2
that referenced
this issue
Feb 27, 2017
The code for loading CRLs was incorrectly assuming that OpenSSL's X509_LOOKUP_load_file function returns zero on success, but actually it returns one on success. This commit fixes this return code check so that a CRL can be loaded.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
smarsching commentedFeb 27, 2017
When specifying a CRL through the
crl_pathoption in the API listener configuration, starting Icinga2 fails with the following error message:The reason for this error message is that
AddCRLToSSLContextinlib/base/tlsutility.cppincorrectly verifies the return code of the OpenSSL functionX509_LOOKUP_load_file. OpenSSL signals successful execution with a return code of one, but the code inAddCRLToSSLContextfails if the return code is not zero. This means that the code will not continue when the CRL has actually been loaded successfully, but it will continue when there is an error while loading the CRL.I found this bug in Icinga 2.4, but it is still present in the current master branch.
Don't bother fixing this bug. I already have a patch and will submit a pull request shortly. This issue is only for tracking the bug.