tyler.durden
/
icinga2
mirror of https://github.com/Icinga/icinga2.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Error messages: Catch all SSL/TLS exceptions in ApiListener. 

Refs #6070
This commit is contained in:
Michael Friedrich 2014-06-05 15:03:56 +02:00
parent bd916723f4
commit 47f19a2ce9
1 changed files with 49 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
lib/remote/apilistener.cpp
View File

@ -42,14 +42,38 @@ REGISTER_STATSFUNCTION(ApiListenerStats, &ApiListener::StatsFunc);
void ApiListener::OnConfigLoaded(void) void ApiListener::OnConfigLoaded(void)
{ {
/* set up SSL context */ /* set up SSL context */
shared_ptr<X509> cert = GetX509Certificate(GetCertPath()); shared_ptr<X509> cert = make_shared<X509>();
SetIdentity(GetCertificateCN(cert)); try {
cert = GetX509Certificate(GetCertPath());
} catch (std::exception&) {
Log(LogCritical, "ApiListener", "Cannot get certificate from cert path: '" + GetCertPath() + "'.");
return;
}
try {
SetIdentity(GetCertificateCN(cert));
} catch (std::exception&) {
Log(LogCritical, "ApiListener", "Cannot get certificate common name from cert path: '" + GetCertPath() + "'.");
return;
}
Log(LogInformation, "ApiListener", "My API identity: " + GetIdentity()); Log(LogInformation, "ApiListener", "My API identity: " + GetIdentity());
m_SSLContext = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath()); try {
m_SSLContext = MakeSSLContext(GetCertPath(), GetKeyPath(), GetCaPath());
} catch (std::exception&) {
Log(LogCritical, "ApiListener", "Cannot make SSL context for cert path: '" + GetCertPath() + "' key path: '" + GetKeyPath() + "' ca path: '" + GetCaPath() + "'.");
return;
}
if (!GetCrlPath().IsEmpty()) if (!GetCrlPath().IsEmpty()) {
AddCRLToSSLContext(m_SSLContext, GetCrlPath()); try {
AddCRLToSSLContext(m_SSLContext, GetCrlPath());
} catch (std::exception&) {
Log(LogCritical, "ApiListener", "Cannot add certificate revocation list to SSL context for crl path: '" + GetCrlPath() + "'.");
return;
}
}
if (!Endpoint::GetByName(GetIdentity())) { if (!Endpoint::GetByName(GetIdentity())) {
Log(LogCritical, "ApiListener", "Endpoint object for '" + GetIdentity() + "' is missing."); Log(LogCritical, "ApiListener", "Endpoint object for '" + GetIdentity() + "' is missing.");
@ -215,13 +239,30 @@ void ApiListener::NewClientHandler(const Socket::Ptr& client, ConnectionRole rol
{ {
ObjectLock olock(this); ObjectLock olock(this);
tlsStream = make_shared<TlsStream>(client, role, m_SSLContext); try {
tlsStream = make_shared<TlsStream>(client, role, m_SSLContext);
} catch (std::exception&) {
Log(LogCritical, "ApiListener", "Cannot create tls stream from client connection.");
return;
}
} }
tlsStream->Handshake(); try {
tlsStream->Handshake();
} catch (std::exception) {
Log(LogCritical, "ApiListener", "Client TLS handshake failed.");
return;
}
shared_ptr<X509> cert = tlsStream->GetPeerCertificate(); shared_ptr<X509> cert = tlsStream->GetPeerCertificate();
String identity = GetCertificateCN(cert); String identity;
try {
identity = GetCertificateCN(cert);
} catch (std::exception&) {
Log(LogCritical, "ApiListener", "Cannot get certificate common name from cert path: '" + GetCertPath() + "'.");
return;
}
Log(LogInformation, "ApiListener", "New client connection for identity '" + identity + "'"); Log(LogInformation, "ApiListener", "New client connection for identity '" + identity + "'");