From 24397fbee8562005ea9d4b05944c0c0dd5ac0aa1 Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Mon, 17 Feb 2020 17:43:11 +0100 Subject: [PATCH] CA Proxy: Catch exceptions from VerifyCertificate() --- lib/remote/jsonrpcconnection-pki.cpp | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp index dd5154e36..b8fda041a 100644 --- a/lib/remote/jsonrpcconnection-pki.cpp +++ b/lib/remote/jsonrpcconnection-pki.cpp @@ -53,7 +53,13 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona String cn = GetCertificateCN(cert); - bool signedByCA = VerifyCertificate(cacert, cert); + bool signedByCA; + + try { + signedByCA = VerifyCertificate(cacert, cert); + } catch (const std::exception& ex) { + + } Log(LogInformation, "JsonRpcConnection") << "Received certificate request for CN '" << cn << "'" @@ -199,7 +205,7 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona * this ensures that the CA we have in /var/lib/icinga2/ca matches the one * we're using for cluster connections (there's no point in sending a client * a certificate it wouldn't be able to use to connect to us anyway) */ - if (!VerifyCertificate(cacert, newcert)) { + if (!signedByCA) { Log(LogWarning, "JsonRpcConnection") << "The CA in '" << listener->GetDefaultCaPath() << "' does not match the CA which Icinga uses " << "for its own cluster connections. This is most likely a configuration problem.";