[Privoxy-commits] [privoxy] 39/48: Gracefully handle existing website keys without matching certificates
User Git
git at git.privoxy.org
Thu Dec 17 14:18:15 UTC 2020
This is an automated email from the git hooks/post-receive script.
git pushed a commit to branch master
in repository privoxy.
commit 734909ce59b2c906eeaf92489ecc686781374ece
Author: Fabian Keil <fk at fabiankeil.de>
AuthorDate: Thu Dec 17 04:57:04 2020 +0100
Gracefully handle existing website keys without matching certificates
This can happen if Privoxy was previously running with an invalid
TLS configuration that didn't allow it to create a certificate.
The problem can be reproduced manually by removing or renaming a
certificate while keeping the key.
Previously this would result in a confusing client error messages:
fk at t520 ~ $curl -v --head https://www.electrobsd.org/
* Uses proxy env variable https_proxy == 'http://127.0.1.1:8118/'
* Trying 127.0.1.1:8118...
* Connected to 127.0.1.1 (127.0.1.1) port 8118 (#0)
* allocate connect buffer!
* Establish HTTP proxy tunnel to www.electrobsd.org:443
> CONNECT www.electrobsd.org:443 HTTP/1.1
> Host: www.electrobsd.org:443
> User-Agent: curl/7.72.0
> Proxy-Connection: Keep-Alive
>
< HTTP/1.1 200 Connection established
HTTP/1.1 200 Connection established
<
* Proxy replied 200 to CONNECT request
* CONNECT phase completed!
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/share/certs/ca-root-nss.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.electrobsd.org:443
* Closing connection 0
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.electrobsd.org:443
While the Privoxy log would say something like:
04:53:53.932 099 Error: Subject key was already created
04:53:53.932 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:02001002:system library:fopen:No such file or directory
04:53:53.932 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:20074002:BIO routines:file_ctrl:system lib
04:53:53.933 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
04:53:53.933 099 Error: Failed to open a secure connection with the client
Instead of failing, just remove the key and continue.
---
openssl.c | 19 +++++++++++++++++++
ssl.c | 19 +++++++++++++++++++
2 files changed, 38 insertions(+)
diff --git a/openssl.c b/openssl.c
index 72d97d99..e1655d88 100644
--- a/openssl.c
+++ b/openssl.c
@@ -1793,6 +1793,25 @@ static int generate_webpage_certificate(struct client_state *csp)
}
}
+ if (file_exists(cert_opt.output_file) == 0 &&
+ file_exists(cert_opt.subject_key) == 1)
+ {
+ log_error(LOG_LEVEL_ERROR,
+ "A website key already exists but there's no matching certificate. "
+ "Removing %s before creating a new key and certificate.",
+ cert_opt.subject_key);
+ if (unlink(cert_opt.subject_key))
+ {
+ log_error(LOG_LEVEL_ERROR, "Failed to unlink %s: %E",
+ cert_opt.subject_key);
+
+ freez(cert_opt.output_file);
+ freez(cert_opt.subject_key);
+
+ return -1;
+ }
+ }
+
/*
* Create key for requested host
*/
diff --git a/ssl.c b/ssl.c
index 46b8fd4b..13203de9 100644
--- a/ssl.c
+++ b/ssl.c
@@ -1348,6 +1348,25 @@ static int generate_webpage_certificate(struct client_state *csp)
}
}
+ if (file_exists(cert_opt.output_file) == 0 &&
+ file_exists(cert_opt.subject_key) == 1)
+ {
+ log_error(LOG_LEVEL_ERROR,
+ "A website key already exists but there's no matching certificate. "
+ "Removing %s before creating a new key and certificate.",
+ cert_opt.subject_key);
+ if (unlink(cert_opt.subject_key))
+ {
+ log_error(LOG_LEVEL_ERROR, "Failed to unlink %s: %E",
+ cert_opt.subject_key);
+
+ freez(cert_opt.output_file);
+ freez(cert_opt.subject_key);
+
+ return -1;
+ }
+ }
+
/*
* Create key for requested host
*/
--
To stop receiving notification emails like this one, please contact
the administrator of this repository.
More information about the Privoxy-commits
mailing list