Subject: CAcert Code Development list.
List archive
- From: Wytze van der Raay <wytze AT cacert.org>
- To: Michael Tänzer <michael.taenzer AT cacert.org>
- Cc: CAcert Support <support AT cacert.org>, "critical-admin AT cacert.org" <critical-admin AT cacert.org>, cacert-devel AT lists.cacert.org
- Subject: Re: Error handling on invalid SPKAC requests
- Date: Wed, 31 Aug 2011 17:37:02 +0200
- Authentication-results: lists.cacert.org; dkim=pass (1024-bit key) header.i= AT cacert.org; dkim-asp=none
Hi Michael,
Op 31-8-2011 17:09, Michael Tänzer schreef:
> ...
> There are a lot of expected error condidtions reported back to the user,
> I also check the return value of openssl and try to give an error to the
> user in this case. SPKACs are handled a little bit different in that
> regard so I guess I need to have a look at this again.
>
> The log entries with IDs were only introduced in places which indicate
> an error on our side / in our software (i.e. things that should never
> happen but, history taught us, occasionally do). I don't want to give
> all the details to the user in those cases, because it might indicate a
> vulnerability in our code. So I want the user to be able to report a
> problem and what caused it but I don't want to give an attacker the
> extra bit of information he needs to exploit us. That's why a generic
> error message is given to the user with a random ID and more information
> is logged along with that same ID to allow us to debug this code. And
> according to this case it seems to work. There is an error in our code
> that does not catch invalid SPKACs and tries to parse extra information
> out of it instead of aborting and giving an error message which does not
> make sense. Luckily enough this parsing fails and produces this error
> message. Now we developers have to fix the underlying problem.
>
> I have created a bug report for this issue:
> https://bugs.cacert.org/view.php?id=978
Excellent, thanks for the thorough motivation!
This problem has actually occurred a number of times before, but
apparently the user involved did not bother to complain about it.
FYI, here are the time stamps of all 23 occurrences (some of them
are close together, so probably the same user trying a couple of
times):
[23-Jun-2011 16:07:23]
[28-Jun-2011 20:28:25]
[05-Jul-2011 16:10:14]
[05-Jul-2011 16:13:56]
[07-Jul-2011 23:33:35]
[18-Jul-2011 17:29:46]
[18-Jul-2011 17:35:00]
[18-Jul-2011 17:35:54]
[18-Jul-2011 18:14:10]
[18-Jul-2011 19:51:11]
[18-Jul-2011 20:50:57]
[18-Jul-2011 21:07:08]
[21-Aug-2011 12:24:08]
[22-Aug-2011 18:50:19]
[22-Aug-2011 18:51:03]
[22-Aug-2011 18:51:16]
[22-Aug-2011 18:51:26]
[23-Aug-2011 14:28:26]
[23-Aug-2011 22:02:19]
[23-Aug-2011 22:02:31]
[30-Aug-2011 23:00:46]
[30-Aug-2011 23:05:07]
[30-Aug-2011 23:10:49]
Regards,
-- wytze
Attachment:
smime.p7s
Description: S/MIME cryptografische ondertekening
- Error handling on invalid SPKAC requests (was: Re: [s20110830.126] support id 386912842 ; just tried to generate a certificate with Finnish identification card), Michael Tänzer, 08/31/2011
- Re: Error handling on invalid SPKAC requests, Wytze van der Raay, 08/31/2011
Archive powered by MHonArc 2.6.16.