tlsa binary fails with certificate error

Hoggins! fuckspam at wheres5.com
Tue May 22 16:39:16 CEST 2018 

Hello Viktor,

I have published the correct TLSA records (generated with my "old"
system) this morning, they are fixed for now.

Le 22/05/2018 à 16:11, Viktor Dukhovni a écrit :
>
>> On May 22, 2018, at 5:05 AM, Hoggins! <fuckspam at wheres5.com> wrote:
>>
> I think I see the bug:
>
>> -- non working system : Fedora 28, python2-libs-2.7.15-1.fc28.x86_64
>>
>>        <snip>
>>        while True:
>>                cptr = m2.x509_read_pem(bio._ptr())
>>                if not cptr:
>>                        break
>>                chain.append(X509.X509(cptr, _pyfree=1))
> You're telling Python it owns the certificate object reference
> and should free it when no longer needed.  Then add the certificate
> to the chain, but this call may not bump the certificate reference
> count.
>
>>                print chain
> Here you print the chain.  And the certificate itself goes out of
> scope and is freed, the chain no longer holds a valid reference.

Actually when inside the loop, chain is not empty, it's only outside of
it that it seems to be freed.

>
>> If I put the "print chain" inside the while loop, I get the correct
>> chain array (one pass with only one item, and second pass with two
>> items, output is as expected).
>>
>> *BUT*
>>
>>        <snip>
>>        while True:
>>                cptr = m2.x509_read_pem(bio._ptr())
>>                if not cptr:
>>                        break
>>                chain.append(X509.X509(cptr, _pyfree=1))
>>        print chain
>>        if not chain:
>>        <snip>
>>
>> I the "print chain" is placed after the loop, *it does not print
>> anything*, so the script will eventually complain about "chain" not
>> being defined.
> I think all the certificates are freed leaving no valid
> references in the chain.
>
> In any case, you should fix your TLSA records to be correct first,
> and then fix the script...  Perhaps "_pyfree = 0" would work better.
> If the script does not run forever, but is just a cron job, freeing
> memory just slows it down...

Changing _pyfree=1 to _pyfree=0 did not help, unfortunately.

>


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20180522/8a2e926c/attachment.asc>

More information about the dane-users mailing list