From 248fe9bd28d93a9e269093b4dfbec5d0ceb49ce1 Mon Sep 17 00:00:00 2001 From: Carl Hetherington Date: Sat, 4 May 2019 01:03:43 +0100 Subject: [PATCH] Validation of certificate chains will fail before dcpomatic_setup() is called, as OpenSSL has not yet been set up. Make sure that these failures only raise a Bad() (which nobody is yet listening to) rather than throwing an exception which gets caught and reported as a failed-to-load config. If none of the OpenSSL stuff is working chain_valid() will return false but private_key_valid() will throw an exception (as it tries to get the leaf certificate, causing a validity check). --- src/lib/config.cc | 4 ++-- src/tools/dcpomatic.cc | 4 ++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/lib/config.cc b/src/lib/config.cc index ea2a57939..74f916b21 100644 --- a/src/lib/config.cc +++ b/src/lib/config.cc @@ -487,11 +487,11 @@ try } } - if (!_signer_chain->private_key_valid() || !_signer_chain->chain_valid()) { + if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) { bad = BAD_SIGNER_INCONSISTENT; } - if (!_decryption_chain->private_key_valid() || !_decryption_chain->chain_valid()) { + if (!_decryption_chain->chain_valid() || !_decryption_chain->private_key_valid()) { bad = BAD_DECRYPTION_INCONSISTENT; } diff --git a/src/tools/dcpomatic.cc b/src/tools/dcpomatic.cc index 73e215c04..508390a38 100644 --- a/src/tools/dcpomatic.cc +++ b/src/tools/dcpomatic.cc @@ -1506,6 +1506,10 @@ private: */ Config::drop (); + /* We only look out for bad configuration from here on, as before + dcpomatic_setup() we haven't got OpenSSL ready so there will be + incorrect certificate chain validity errors. + */ Config::Bad.connect (boost::bind(&App::config_bad, this, _1)); _frame = new DOMFrame (_("DCP-o-matic")); -- 2.30.2