diff options
| author | Rob Austein <sra@hactrn.net> | 2006-10-19 06:08:41 +0000 |
|---|---|---|
| committer | Rob Austein <sra@hactrn.net> | 2006-10-19 06:08:41 +0000 |
| commit | 1ebb24e24efd348c15fbe9219b94aaa666dc9a54 (patch) | |
| tree | 13f5311b9cda4db99f7e8976c78214312910efa9 | |
| parent | b74f8bcc872a66aef830cba25a50465dea50c4c9 (diff) | |
Stale CRL handling.
svn path=/rcynic/README; revision=413
| -rw-r--r-- | rcynic/README | 6 | ||||
| -rw-r--r-- | rcynic/rcynic.c | 23 |
2 files changed, 27 insertions, 2 deletions
diff --git a/rcynic/README b/rcynic/README index b1911893..31f842aa 100644 --- a/rcynic/README +++ b/rcynic/README @@ -223,6 +223,12 @@ summary Enable logging of a per-host summary at the Summary data is logged at log_summary level. Values: true or false. Default: false +allow-stale-crl Allow use of CRLs which are past their + nextUpdate timestamp. This is probably + harmless, but since it may be an early warning + of problems, it's configurable. + Values: true or false. Default: false + Running rcynic chrooted diff --git a/rcynic/rcynic.c b/rcynic/rcynic.c index fe1dfdb5..460724cb 100644 --- a/rcynic/rcynic.c +++ b/rcynic/rcynic.c @@ -106,7 +106,8 @@ static const struct { QQ(current_crl_rejected, "current CRLs rejected") \ QQ(rsync_failed, "rsync transfers failed") \ QQ(rsync_succeeded, "rsync transfers succeeded") \ - QQ(rsync_timed_out, "rsync transfers timed out") + QQ(rsync_timed_out, "rsync transfers timed out") \ + QQ(stale_crl, "stale CRLs") #define QQ(x,y) x , typedef enum mib_counter { MIB_COUNTERS MIB_COUNTER_T_MAX } mib_counter_t; @@ -140,7 +141,7 @@ typedef struct rcynic_ctx { char *authenticated, *old_authenticated, *unauthenticated; char *jane, *rsync_program; STACK *rsync_cache, *host_counters; - int indent, rsync_timeout, use_syslog, use_stdouterr; + int indent, rsync_timeout, use_syslog, use_stdouterr, allow_stale_crl; int priority[LOG_LEVEL_T_MAX]; log_level_t log_level; X509_STORE *x509_store; @@ -1083,6 +1084,20 @@ static int check_cert_cb(int ok, X509_STORE_CTX *ctx) * a failure for the calling function. Just leave these alone. */ break; + case X509_V_ERR_CRL_HAS_EXPIRED: + /* + * This may not be an error at all. CRLs don't really "expire", + * although the signatures over them do. What OpenSSL really + * means by this error is just "it's now later than this source + * said it intended to publish a new CRL. Unclear whether this + * should be an error; current theory is that it should not be. + */ + logmsg(rctx->rc, log_telemetry, "Stale CRL %s while checking %s", + rctx->subj->crldp, rctx->subj->uri); + mib_increment(rctx->rc, rctx->subj->uri, stale_crl); + if (rctx->rc->allow_stale_crl) + ok = 1; + break; default: if (!ok) logmsg(rctx->rc, log_data_err, @@ -1495,6 +1510,10 @@ int main(int argc, char *argv[]) !configure_boolean(&rc, &summary, val->value)) goto done; + else if (!name_cmp(val->name, "allow-stale-crl") && + !configure_boolean(&rc, &rc.allow_stale_crl, val->value)) + goto done; + /* * Ugly, but the easiest way to handle all these strings. */ |