[CDRIVER-2825] Connecting with an invalid cert path secure transport hangs Created: 14/Sep/18 Updated: 28/Oct/23 Resolved: 22/Oct/18 |
|
| Status: | Closed |
| Project: | C Driver |
| Component/s: | tls |
| Affects Version/s: | None |
| Fix Version/s: | 1.14.0 |
| Type: | Bug | Priority: | Major - P3 |
| Reporter: | Kevin Albertson | Assignee: | A. Jesse Jiryu Davis |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Attachments: |
|
||||||||
| Issue Links: |
|
||||||||
| Description |
|
Supplying the wrong path to a certificate for DarwinSSL seems to hang indefinitely on this line:
Instead, we should log an error if possible, like we do for OpenSSL. |
| Comments |
| Comment by Githook User [ 22/Oct/18 ] | ||||||||||||||
|
Author: {'name': 'A. Jesse Jiryu Davis', 'email': 'jesse@mongodb.com', 'username': 'ajdavis'}Message: | ||||||||||||||
| Comment by A. Jesse Jiryu Davis [ 22/Oct/18 ] | ||||||||||||||
|
For now, the solution is to open the file stream before passing it to SecTransformCreateReadTransformWithReadStream. We're not using the suggested solution, checkResourceIsReachableAndReturnError, and we're not yet migrating from SecTransforms to "the modern SecKey APIs" since our existing code doesn't raise any deprecation warnings now. | ||||||||||||||
| Comment by A. Jesse Jiryu Davis [ 16/Oct/18 ] | ||||||||||||||
|
Also from Apple: | ||||||||||||||
| Comment by A. Jesse Jiryu Davis [ 10/Oct/18 ] | ||||||||||||||
|
From Apple: BOOL success = [(*__bridge* NSURL *)url checkResourceIsReachableAndReturnError:&error]; NSLog(@"success: %d, error: %@", success, error); | ||||||||||||||
| Comment by A. Jesse Jiryu Davis [ 08/Oct/18 ] | ||||||||||||||
|
I've submitted a support request to Apple. Here's the confirmation email: A Technical Support Incident (TSI) will be debited from your developer account for this inquiry. Additional TSIs are available for purchase in the Code-Level Support section of your account. --------------------------------------------------------------------- DESCRIPTION OF PROBLEM
The complete code is here: If the file does not exist (the filename parameter refers to a path that does not exist on the filesystem), then this code hangs at the SecTransformExecute call. Other errors, such as a corrupt PEM file, return an error promptly. Is there a way to receive an error quickly if the filename is wrong? Trying to open the CFReadStream first, in order to detect errors, appears to work, but I'm concerned it's unsupported:
The reason I'm concerned it's unsupported is that the SecTransformCreateReadTransformWithReadStream docs for the inputStream parameter say, "The stream that is to be opened and read from when the chain executes." So it's implied that the stream should not already be opened: I request an officially supported technique to avoid a hang in SecTransformExecute when its inputs are wrong, including a bad filename. Thanks! |