From 3764b633f977129f8ee3bca60db7c5d1bb969eec Mon Sep 17 00:00:00 2001 From: Neel Goyal Date: Mon, 11 Dec 2017 18:48:49 -0800 Subject: [PATCH 1/1] Fix case where ssl cert does not match key Summary: In some cases, SSLContextManager seg faults if a cert and key do not match. This guards against that case when strictSSL = false, and throws a more useful error in the cases when SSL is required. Reviewed By: xybu Differential Revision: D6513964 fbshipit-source-id: 8e63a22b346fd3f2a30d558a3659ab6794c7a105 --- folly/io/async/SSLContext.cpp | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/folly/io/async/SSLContext.cpp b/folly/io/async/SSLContext.cpp index 7ce05f44..4a95a572 100644 --- a/folly/io/async/SSLContext.cpp +++ b/folly/io/async/SSLContext.cpp @@ -206,7 +206,7 @@ void SSLContext::loadCertificate(const char* path, const char* format) { "loadCertificateChain: either or is nullptr"); } if (strcmp(format, "PEM") == 0) { - if (SSL_CTX_use_certificate_chain_file(ctx_, path) == 0) { + if (SSL_CTX_use_certificate_chain_file(ctx_, path) != 1) { int errnoCopy = errno; std::string reason("SSL_CTX_use_certificate_chain_file: "); reason.append(path); @@ -292,6 +292,9 @@ void SSLContext::loadCertKeyPairFromBufferPEM( folly::StringPiece pkey) { loadCertificateFromBufferPEM(cert); loadPrivateKeyFromBufferPEM(pkey); + if (!isCertKeyPairValid()) { + throw std::runtime_error("SSL certificate and private key do not match"); + } } void SSLContext::loadCertKeyPairFromFiles( @@ -301,6 +304,9 @@ void SSLContext::loadCertKeyPairFromFiles( const char* keyFormat) { loadCertificate(certPath, certFormat); loadPrivateKey(keyPath, keyFormat); + if (!isCertKeyPairValid()) { + throw std::runtime_error("SSL certificate and private key do not match"); + } } bool SSLContext::isCertKeyPairValid() const { -- 2.34.1