Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRL loading fails due to incorrect return code check #5040

Closed
smarsching opened this issue Feb 27, 2017 · 0 comments
Closed

CRL loading fails due to incorrect return code check #5040

smarsching opened this issue Feb 27, 2017 · 0 comments
Assignees
@gunnarbeutner
Labels
area/distributed bug
Milestone
2.7.0

Comments

@smarsching
Copy link
Contributor

@smarsching smarsching commented Feb 27, 2017

When specifying a CRL through the crl_path option in the API listener configuration, starting Icinga2 fails with the following error message:

critical/SSL: Error loading crl file '/etc/icinga2/pki/crl.pem': 0, "error:00000000:lib(0):func(0):reason(0)"

The reason for this error message is that AddCRLToSSLContext in lib/base/tlsutility.cpp incorrectly verifies the return code of the OpenSSL function X509_LOOKUP_load_file. OpenSSL signals successful execution with a return code of one, but the code in AddCRLToSSLContext fails if the return code is not zero. This means that the code will not continue when the CRL has actually been loaded successfully, but it will continue when there is an error while loading the CRL.

I found this bug in Icinga 2.4, but it is still present in the current master branch.

Don't bother fixing this bug. I already have a patch and will submit a pull request shortly. This issue is only for tracking the bug.
smarsching added a commit to smarsching/icinga2 that referenced this issue Feb 27, 2017
@smarsching
Fixed return code check in CRL loading (Icinga#5040).
d78a5b8 
The code for loading CRLs was incorrectly assuming that OpenSSL's
X509_LOOKUP_load_file function returns zero on success, but actually it
returns one on success. This commit fixes this return code check so
that a CRL can be loaded.
@smarsching smarsching mentioned this issue Feb 27, 2017
Closed
@gunnarbeutner gunnarbeutner self-assigned this Feb 28, 2017
@gunnarbeutner gunnarbeutner added bug area/distributed labels Feb 28, 2017
@gunnarbeutner gunnarbeutner added this to the 2.7.0 milestone Feb 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gunnarbeutner gunnarbeutner

Labels
area/distributed bug
Projects
None yet
Milestone
2.7.0
Development

No branches or pull requests
2 participants
@gunnarbeutner @smarsching