Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Check the configuration file by default #13310
Check the configuration file by default #13310
Changes from 3 commits
3a761b5547e2c0cefda18acefa36File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be commented out by default. The reason from #13303 applies:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned in #13303, I'm not sure I agree with the DoS argument.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First, let the tests succeed...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking that there could be a DoS situation because of misconfiguration, and hiding the error certainly doesn't help anyone in that case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could such a misconfiguration prevent access to fix it though? I think that was the line @vdukhovni was following.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm struggling to see the line of thought here. We are talking about adding this to the default config file, which is in a known good state. If anyone changes it so that things are misconfigured, then this will immediately break. The fix is easy and obvious...roll back the previous change. It has surely got to be better to inform the sys admin asap that we detected a config problem.
What we cannot do is start providing diagnostics for random config files that are already deployed. If we did that then things might break and the fix may not be obvious.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An mostly cosmetic error in the configuration file can signficantly impair a running system, breaking SSH, SMTP, and other critical services. Since we've not previously enforced mandatory validity of the configuration file, this would be a substantial change in semantics, and would need to be very prominently advertised in any release that makes configuration file errors "fatal".
I am not convinced that the configuration file is "critical" and that not running is better than running after ignoring an error in the file. Applications can explicitly load the config file and opt-in to error reporting, and we could provide tools to check the configuration...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nor are we doing this now. Any existing config files would be unaffected. Anyone can remove the config_diagnostics line from the default config file if they wish it. Even with the line there, and in the event of config file errors, applications can continue anyway.
They're not fatal even now. They're just "on the stack" as opposed to "not on the stack". If an application doesn't check for errors on the stack it will have no impact.
In 1.1.1 I'd probably agree. It is increasingly becoming critical. I expect many more people to be making config file changes in 3.0 than in 1.1.1. The impacts of a config file error are more significant in 3.0 as well. For example it could lead you to believe that you are running FIPS validated crypto when you are not.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh apparently I'm wrong on this point. The "config_diagnostics" setting actually causes OPENSSL_init_crypto() to fail where OPENSSL_INIT_LOAD_CONFIG is passed as a flag.