-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MINIFICPP-1070 - Fixed handling of PKCS12 certificates #666
Conversation
I've tested the changes with PEM and PKCS12 certs, signed directly with a root CA as well as with an intermediate and all the combinations work well. |
@@ -80,7 +82,16 @@ bool SSLContextService::configure_ssl_context(SSL_CTX *ctx) { | |||
X509_free(cert); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My gut feeling says that whenever we do this we leak the page pointed by "ca".
PKCS12_parse allocates that as well, so I think we need to free it.
I would also prefer using scope guards for the resources here to avoid leaks.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed the code to use scope guards.
logging::LOG_ERROR(logger_) << "Failed to set additional certificate from " << certificate << ", " << getLatestOpenSSLErrorString(); | ||
EVP_PKEY_free(pkey); | ||
X509_free(cacert); | ||
return false; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So we iterate through "ca" and free one of the certs in case of error and leave the rest. This definitely feels wrong.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixed this with scope guard as well
6781bff
to
05aa249
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Look good, nice work, thanks!
The changes you added are indented with tabs instead of 2 spaces. Please fix that (preferably also in your IDE), otherwise I’m happy to merge.
@asdaraujo : according to CI it seems security related tests fail with segfault. You can execute them with the following command:
Please make sure they pass! |
05aa249
to
d299547
Compare
Thanks, @arpadboda ! Fixed the tabs and the segfault. |
Looks good, will merge soon, thanks! @asdaraujo : next time please take a look at linter errors! (You can run linter by executing "make linter"). Will fix the current ones when merging.
|
There are two issues fixed in this commit: * SSLContextService was ignoring additional certs in the P12 file, which was preventing the server to establish trust of the client certificate when it was signed by an intermediate CA. * TLSSocket only supported PEM certificates. It has been changed to delegate the handling of cert files to the SSLContextService.
Thanks, @arpadboda, and thanks for the linter tip. I'm sending an update with the linter errors fixed. |
d299547
to
64c9927
Compare
Merged, just forgot to close in scope of that commit ( aabcbee ) Manually closing now. Thanks again @asdaraujo ! |
There are two issues fixed in this commit:
file, which was preventing the server to establish trust of
the client certificate when it was signed by an intermediate
CA.
to delegate the handling of cert files to the SSLContextService.
Thank you for submitting a contribution to Apache NiFi - MiNiFi C++.
In order to streamline the review of the contribution we ask you
to ensure the following steps have been taken:
For all changes:
Is there a JIRA ticket associated with this PR? Is it referenced
in the commit message?
Does your PR title start with MINIFICPP-XXXX where XXXX is the JIRA number you are trying to resolve? Pay particular attention to the hyphen "-" character.
Has your PR been rebased against the latest commit within the target branch (typically master)?
Is your initial contribution a single, squashed commit?
For code changes:
For documentation related changes:
Note:
Please ensure that once the PR is submitted, you check travis-ci for build issues and submit an update to your PR as soon as possible.