tlsa binary fails with certificate error

Viktor Dukhovni ietf-dane at
Tue May 22 16:49:02 CEST 2018

> On May 22, 2018, at 10:39 AM, Hoggins! <fuckspam at> wrote:
> Hello Viktor,
> I have published the correct TLSA records (generated with my "old"
> system) this morning, they are fixed for now.

Yes, I see that too.  I've removed your domains from:

> Le 22/05/2018 à 16:11, Viktor Dukhovni a écrit :
>>> On May 22, 2018, at 5:05 AM, Hoggins! <fuckspam at> wrote:
>> I think I see the bug:
>>> -- non working system : Fedora 28, python2-libs-2.7.15-1.fc28.x86_64
>>>       <snip>
>>>       while True:
>>>               cptr = m2.x509_read_pem(bio._ptr())
>>>               if not cptr:
>>>                       break
>>>               chain.append(X509.X509(cptr, _pyfree=1))
>> You're telling Python it owns the certificate object reference
>> and should free it when no longer needed.  Then add the certificate
>> to the chain, but this call may not bump the certificate reference
>> count.
>>>               print chain
>> Here you print the chain.  And the certificate itself goes out of
>> scope and is freed, the chain no longer holds a valid reference.
> Actually when inside the loop, chain is not empty, it's only outside of
> it that it seems to be freed.

Yes, perhaps because the certificate object is still in scope.  What
happens if you load all the certificates into a list in the loop,
and build the chain from the list outside the loop, then the array
still references the certificates.

If we get too deep into Python, we'll be too far off topic, but for
now, we're still vaguely talking about certificate management...


More information about the dane-users mailing list