Gracefully handle existing website keys without matching certificates
authorFabian Keil <fk@fabiankeil.de>
Thu, 17 Dec 2020 03:57:04 +0000 (04:57 +0100)
committerFabian Keil <fk@fabiankeil.de>
Thu, 17 Dec 2020 14:14:43 +0000 (15:14 +0100)
commit734909ce59b2c906eeaf92489ecc686781374ece
tree8bd367f057208aab7dbb2500a422fa23f00c7568
parent5c80f4bb5ef69a76b7051dbb50c3404ef4501b01
Gracefully handle existing website keys without matching certificates

This can happen if Privoxy was previously running with an invalid
TLS configuration that didn't allow it to create a certificate.

The problem can be reproduced manually by removing or renaming a
certificate while keeping the key.

Previously this would result in a confusing client error messages:

    fk@t520 ~ $curl -v --head https://www.electrobsd.org/
    * Uses proxy env variable https_proxy == 'http://127.0.1.1:8118/'
    *   Trying 127.0.1.1:8118...
    * Connected to 127.0.1.1 (127.0.1.1) port 8118 (#0)
    * allocate connect buffer!
    * Establish HTTP proxy tunnel to www.electrobsd.org:443
    > CONNECT www.electrobsd.org:443 HTTP/1.1
    > Host: www.electrobsd.org:443
    > User-Agent: curl/7.72.0
    > Proxy-Connection: Keep-Alive
    >
    < HTTP/1.1 200 Connection established
    HTTP/1.1 200 Connection established
    <

    * Proxy replied 200 to CONNECT request
    * CONNECT phase completed!
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /usr/local/share/certs/ca-root-nss.crt
      CApath: none
    * TLSv1.2 (OUT), TLS header, Certificate Status (22):
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.electrobsd.org:443
    * Closing connection 0
    curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to www.electrobsd.org:443

While the Privoxy log would say something like:
04:53:53.932 099 Error: Subject key was already created
04:53:53.932 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:02001002:system library:fopen:No such file or directory
04:53:53.932 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:20074002:BIO routines:file_ctrl:system lib
04:53:53.933 099 Error: Loading webpage certificate /usr/local/etc/privoxy/CA/certs/6db5da8a16c246d1bd8c0fa7cd160a5b.crt failed: error:140AD002:SSL routines:SSL_CTX_use_certificate_file:system lib
04:53:53.933 099 Error: Failed to open a secure connection with the client

Instead of failing, just remove the key and continue.
openssl.c
ssl.c