tlsa binary fails with certificate error
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue May 22 16:11:15 CEST 2018
> On May 22, 2018, at 5:05 AM, Hoggins! <fuckspam at wheres5.com> wrote:
>
I think I see the bug:
> -- non working system : Fedora 28, python2-libs-2.7.15-1.fc28.x86_64
>
> <snip>
> while True:
> cptr = m2.x509_read_pem(bio._ptr())
> if not cptr:
> break
> chain.append(X509.X509(cptr, _pyfree=1))
You're telling Python it owns the certificate object reference
and should free it when no longer needed. Then add the certificate
to the chain, but this call may not bump the certificate reference
count.
> print chain
Here you print the chain. And the certificate itself goes out of
scope and is freed, the chain no longer holds a valid reference.
> If I put the "print chain" inside the while loop, I get the correct
> chain array (one pass with only one item, and second pass with two
> items, output is as expected).
>
> *BUT*
>
> <snip>
> while True:
> cptr = m2.x509_read_pem(bio._ptr())
> if not cptr:
> break
> chain.append(X509.X509(cptr, _pyfree=1))
> print chain
> if not chain:
> <snip>
>
> I the "print chain" is placed after the loop, *it does not print
> anything*, so the script will eventually complain about "chain" not
> being defined.
I think all the certificates are freed leaving no valid
references in the chain.
In any case, you should fix your TLSA records to be correct first,
and then fix the script... Perhaps "_pyfree = 0" would work better.
If the script does not run forever, but is just a cron job, freeing
memory just slows it down...
--
Viktor.
--
Viktor.
More information about the dane-users
mailing list