Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Infinite loop in NewClient() if system certificates are not installed #75

Closed
garrmcnu opened this issue Jun 11, 2020 · 1 comment · Fixed by #80
Closed

Infinite loop in NewClient() if system certificates are not installed #75

garrmcnu opened this issue Jun 11, 2020 · 1 comment · Fixed by #80

Comments

@garrmcnu
Copy link
Contributor

As described in restic/restic#2355, if the ca_root_nss package is not installed on FreeBSD the restic command hangs indefinitely

pkg remove ca_root_nss
restic -r b2:<repo> init

Can reproduce on Linux by using a self-signed certificate for the root certificates

restic --cacert ~/certs/self-signed.crt -r b2:<repo> snapshots

This example code also shows the issue by using an empty certificate pool for the RootCAs in the TLS client configuration

package main

import (
        "context"
        "crypto/tls"
        "crypto/x509"
        "fmt"
        "net/http"
        "os"

        "github.com/kurin/blazer/b2"
)

func main() {
        id := os.Getenv("B2_ACCOUNT_ID")
        key := os.Getenv("B2_ACCOUNT_KEY")
        if id == "" || key == "" {
                fmt.Println("B2_ACCOUNT_ID or B2_ACCOUNT_KEY not set")
                return
        }

        ctx := context.Background()

        tr := &http.Transport{
                TLSClientConfig: &tls.Config{RootCAs: x509.NewCertPool()},
        }

        client, err := b2.NewClient(ctx, id, key, b2.Transport(tr))
        if err != nil {
                fmt.Println(err)
                return
        }

        fmt.Println("b2 client", client)
}

As far as I can see, the issue is the b2_authorize_account request fails with error "x509: certificate signed by unknown authority", this error is wrapped in a b2err type which is treated as a transient error and the request retries indefinitely.

One option to avoid the retries would be to check for this "unknown authority" error and return it directly to the application?
@MichaelEischer MichaelEischer mentioned this issue Oct 24, 2021
Closed
@garrmcnu
Copy link
Contributor Author

Added a check on the error type for a request failure and if it is an x509.UnknownAuthorityError return the error directly to the application rather than wrapping it in a b2err type, this avoids the retries.

Tested with restic and the command fails with error message "Fatal: create repository at b2:***** failed: b2.NewClient: x509: certificate signed by unknown authority".

garrmcnu added a commit to garrmcnu/blazer that referenced this issue Oct 30, 2021
@garrmcnu
base: handle unknown certificate authority error
3e939bc 
If a request fails with "x509: certificate signed by unknown authority",
return the error to avoid retrying indefinitely.

Fixes kurin#75
@garrmcnu garrmcnu mentioned this issue Oct 30, 2021
Merged
@kurin kurin closed this as completed in #80 Oct 30, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

base: handle unknown certificate authority error garrmcnu/blazer
1 participant
@garrmcnu