On Sat, Nov 09, 2019 at 08:07:51AM -0500, Wietse Venema wrote:
> What other examples of known-harmless content can people expect to
> see? Should the list be configurable? If all these blobs embedded
> beween lines
>
> -----BEGIN TYPE OF OBJECT-----
>
> -----END TYPE OF OBJECT-----
>
> then it can be purely mechanical.
The OpenSSL PEM file parser already ignores content outside of
BEGIN/END boundaries, so the minimal patch to silently ignore
unexpected PEM data would be:
--- src/tls/tls_certkey.c
+++ src/tls/tls_certkey.c
@@ -412,9 +412,6 @@ static int load_pem_object(pem_load_state_t *st)
|| ((pkey_type = EVP_PKEY_DSA) != NID_undef
&& strcmp(name, PEM_STRING_DSA) == 0)) {
load_pkey(st, pkey_type, buf, buflen);
- } else if (!st->mixed) {
- msg_warn("error loading %s: unexpected PEM type: %s", st->source, name);
- st->state = PEM_LOAD_STATE_NOGO;
}
OPENSSL_free(name);
OPENSSL_free(header);
On an mostly unrelated note, OpenSSL 3.0 (~Q4 2020) is changing the
error API, so we'll eventually need:
--- src/tls/tls_misc.c
+++ src/tls/tls_misc.c
@@ -1332,6 +1332,18 @@ void tls_print_errors(void)
int line;
int flags;
+#if defined(OPENSSL_VERSION_PREREQ) && OPENSSL_VERSION_PREREQ(3,0)
+ const char *func;
+
+ while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) != 0)
{
+ ERR_error_string_n(err, buffer, sizeof(buffer));
+ if (flags & ERR_TXT_STRING)
+ msg_warn("TLS library problem: %s:%s:%s:%d:%s:",
+ buffer, file, func, line, data);
+ else
+ msg_warn("TLS library problem: %s:%s:%s:%d:", buffer, file, func,
line);
+ }
+#else
while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
ERR_error_string_n(err, buffer, sizeof(buffer));
if (flags & ERR_TXT_STRING)
@@ -1340,6 +1352,7 @@ void tls_print_errors(void)
else
msg_warn("TLS library problem: %s:%s:%d:", buffer, file, line);
}
+#endif
}
/* tls_info_callback - callback for logging SSL events via Postfix */
--
Viktor.
