From 47f19a2ce954a98772b8d08077e63a34c85896ba Mon Sep 17 00:00:00 2001 From: Michael Friedrich Date: Thu, 5 Jun 2014 15:03:56 +0200 Subject: [PATCH] Error messages: Catch all SSL/TLS exceptions in ApiListener. Refs #6070 --- lib/remote/apilistener.cpp | 57 ++++++++++++++++++++++++++++++++------ 1 file changed, 49 insertions(+), 8 deletions(-) diff --git a/lib/remote/apilistener.cpp b/lib/remote/apilistener.cpp index 274677799..1e6b364aa 100644 --- a/lib/remote/apilistener.cpp +++ b/lib/remote/apilistener.cpp @@ -42,14 +42,38 @@ REGISTER_STATSFUNCTION(ApiListenerStats, &ApiListener::StatsFunc); void ApiListener::OnConfigLoaded(void) { /* set up SSL context */ - shared_ptr cert = GetX509Certificate(GetCertPath()); - SetIdentity(GetCertificateCN(cert)); + shared_ptr cert = make_shared(); + try { + cert = GetX509Certificate(GetCertPath()); + } catch (std::exception&) { + Log(LogCritical, "ApiListener", "Cannot get certificate from cert path: '" + GetCertPath() + "'."); + return; + } + + try { + SetIdentity(GetCertificateCN(cert)); + } catch (std::exception&) { + Log(LogCritical, "ApiListener", "Cannot get certificate common name from cert path: '" + GetCertPath() + "'."); + return; + } + Log(LogInformation, "ApiListener", "My API identity: " + GetIdentity()); - m_SSLContext = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath()); + try { + m_SSLContext = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath()); + } catch (std::exception&) { + Log(LogCritical, "ApiListener", "Cannot make SSL context for cert path: '" + GetCertPath() + "' key path: '" + GetKeyPath() + "' ca path: '" + GetCaPath() + "'."); + return; + } - if (!GetCrlPath().IsEmpty()) - AddCRLToSSLContext(m_SSLContext, GetCrlPath()); + if (!GetCrlPath().IsEmpty()) { + try { + AddCRLToSSLContext(m_SSLContext, GetCrlPath()); + } catch (std::exception&) { + Log(LogCritical, "ApiListener", "Cannot add certificate revocation list to SSL context for crl path: '" + GetCrlPath() + "'."); + return; + } + } if (!Endpoint::GetByName(GetIdentity())) { Log(LogCritical, "ApiListener", "Endpoint object for '" + GetIdentity() + "' is missing."); @@ -215,13 +239,30 @@ void ApiListener::NewClientHandler(const Socket::Ptr& client, ConnectionRole rol { ObjectLock olock(this); - tlsStream = make_shared(client, role, m_SSLContext); + try { + tlsStream = make_shared(client, role, m_SSLContext); + } catch (std::exception&) { + Log(LogCritical, "ApiListener", "Cannot create tls stream from client connection."); + return; + } } - tlsStream->Handshake(); + try { + tlsStream->Handshake(); + } catch (std::exception) { + Log(LogCritical, "ApiListener", "Client TLS handshake failed."); + return; + } shared_ptr cert = tlsStream->GetPeerCertificate(); - String identity = GetCertificateCN(cert); + String identity; + + try { + identity = GetCertificateCN(cert); + } catch (std::exception&) { + Log(LogCritical, "ApiListener", "Cannot get certificate common name from cert path: '" + GetCertPath() + "'."); + return; + } Log(LogInformation, "ApiListener", "New client connection for identity '" + identity + "'");