Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

2.3.1 introduced an assertion exception #2061

Closed
ghost opened this issue Jun 25, 2015 · 3 comments
Closed

2.3.1 introduced an assertion exception #2061

ghost opened this issue Jun 25, 2015 · 3 comments
Labels
crypto Issues and PRs related to the crypto subsystem. tls Issues and PRs related to the tls subsystem.

Comments

@ghost
Copy link

ghost commented Jun 25, 2015

It appears 3beb880 introduced an assertion exception for certain certificates.

Running iojs -e "require('tls').connect(443, '143.116.116.84');" on 2.3.1 results in

iojs: ../src/node_crypto.cc:2283: node::crypto::CheckResult node::crypto::CheckWhitelistedServerCert(X509_STORE_CTX*): Assertion `(root_cert) != (nullptr)' failed.
Aborted

With 2.3.0 and earlier it executed just fine (ignoring that the certificate expired)

@brendanashworth brendanashworth added tls Issues and PRs related to the tls subsystem. crypto Issues and PRs related to the crypto subsystem. labels Jun 25, 2015
@brendanashworth
Copy link
Contributor

cc @shigeki

@shigeki
Copy link
Contributor

shigeki commented Jun 26, 2015

@neroux Thanks for reporting.
The issue was identified. I will fix it soon.

shigeki pushed a commit to shigeki/node that referenced this issue Jun 26, 2015
3beb880 has a bug in VerifyCallback
when preverify is 1 and the cert chain has an verify error. If the
error is UNABLE_TO_GET_ISSUER_CERT_LOCALLY, it leads an assertion
error in finding rootCA.
The whitelist check should be made only when the cert chain has no
verify error with X509_V_OK.

Fixes: nodejs#2061
shigeki pushed a commit that referenced this issue Jun 27, 2015
3beb880 has a bug in VerifyCallback
when preverify is 1 and the cert chain has an verify error. If the
error is UNABLE_TO_GET_ISSUER_CERT_LOCALLY, it leads an assertion
error in finding rootCA.
The whitelist check should be made only when the cert chain has no
verify error with X509_V_OK.

Fixes: #2061
PR-URL: #2064
Reviewed-By: Ben Noordhuis <[email protected]>
@shigeki
Copy link
Contributor

shigeki commented Jun 27, 2015

This was fixed in #2064.

@shigeki shigeki closed this as completed Jun 27, 2015
mscdex pushed a commit to mscdex/io.js that referenced this issue Jul 9, 2015
3beb880 has a bug in VerifyCallback
when preverify is 1 and the cert chain has an verify error. If the
error is UNABLE_TO_GET_ISSUER_CERT_LOCALLY, it leads an assertion
error in finding rootCA.
The whitelist check should be made only when the cert chain has no
verify error with X509_V_OK.

Fixes: nodejs#2061
PR-URL: nodejs#2064
Reviewed-By: Ben Noordhuis <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
crypto Issues and PRs related to the crypto subsystem. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants