Project

General

Profile

Bug #11489

Invalid certificate data can cause a PHP error

Added by Simon Brezovnik about 2 months ago. Updated 24 days ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Certificates
Target version:
Start date:
02/21/2021
Due date:
% Done:

100%

Estimated time:
Affected Version:
2.5.0
Affected Architecture:
Release Notes:
Default

Description

I get the following message on the main admin page.

pfSense has detected a crash report or programming bug. Click here for more information.

This error keeps coming back after I have cleared the crash report. I have attached the log.

PHP_errors.log (641 Bytes) PHP_errors.log Simon Brezovnik, 02/20/2021 11:02 PM
Screenshot-20210223195035-1160x287.png (103 KB) Screenshot-20210223195035-1160x287.png Simon Brezovnik, 02/23/2021 06:13 AM

Associated revisions

Revision 29804b9e (diff)
Added by Jim Pingle about 2 months ago

Improve handling of broken/invalid certs. Fixes #11489

Revision cb17faca (diff)
Added by Jim Pingle about 2 months ago

Improve handling of broken/invalid certs. Fixes #11489

(cherry picked from commit 29804b9e6ff07d0224d9396b063f88f486f0d231)

History

#1 Updated by Jim Pingle about 2 months ago

  • Subject changed from PHP crash to Invalid certificate date can lead to a PHP crash
  • Status changed from New to Feedback
  • Affected Version set to 2.5.0

One or more of your certificate entries has an invalid or a date field that cannot be read. The code could handle this more gracefully, but I can't replicate it here.

[21-Feb-2021 03:01:00 Australia/Perth] PHP Fatal error:  Uncaught Exception: DateTime::__construct(): Failed to parse time string (@) at position 0 (@): Unexpected character in /etc/inc/certs.inc:712
Stack trace:
#0 /etc/inc/certs.inc(712): DateTime->__construct('@', Object(DateTimeZone))
#1 /etc/inc/certs.inc(730): cert_format_date(NULL, NULL, false)
#2 /etc/inc/certs.inc(1975): cert_get_dates('-----BEGIN CERT...', true, false)
#3 /etc/inc/certs.inc(2254): cert_get_lifetime(Array, true)
#4 /etc/inc/periodic.inc(31): cert_notify_expiring()
#5 /etc/rc.periodic(27): periodic_daily()
#6 {main}
  thrown in /etc/inc/certs.inc on line 712

If you can identify the certificate which is causing the problem, and don't mind sending it to us, that would go a long way toward replicating and fixing the problem.

#2 Updated by Simon Brezovnik about 2 months ago

I have identified the certificate causing the problem. How would you like me to send it to you? The crt was created in and older version of pfSense.

#3 Updated by Simon Brezovnik about 2 months ago

I get the following error in the GUI with know way to delete the offending cert, screen shot attached. Is reloading the config the best way to resolve this issue?

#4 Updated by Jim Pingle about 2 months ago

  • Assignee set to Jim Pingle
  • Target version set to CE-Next

You can send the certificate to jimp (a.t.) netgate (d|o|t) com

Once I can reproduce the problem and work up a patch for the error, you can apply it and then it should work normally.

#5 Updated by Jim Pingle about 2 months ago

OK, with the cert you sent I can reproduce the error. The problem is that the certificate data in that snippet is corrupted. About halfway through it becomes gibberish binary data and not PEM format cert data.

I pushed a patch to more gracefully handle the broken certificate in this case, which avoids the error.

I saw the same behavior on 2.4.5 with the config chunk you sent.

It wouldn't have been generated that way, so perhaps something went wrong along the way like minor filesystem corruption.

#6 Updated by Jim Pingle about 2 months ago

You can use the system patches package to apply cb17faca3b07197db4b1eb1502a876873ddc222c and that should stop the error from breaking the cert page.

#7 Updated by Jim Pingle about 2 months ago

  • % Done changed from 0 to 100

#8 Updated by Simon Brezovnik about 2 months ago

I have applied the patch and the problem is fixed. I have deleted the offending cert. Thanks.

#9 Updated by Danilo Zrenjanin about 1 month ago

  • Status changed from Feedback to Resolved

#10 Updated by Jim Pingle about 1 month ago

  • Target version changed from CE-Next to 2.5.1

#11 Updated by Jim Pingle about 1 month ago

  • Status changed from Resolved to Feedback

Needs testing on snapshots.

To test, add an obviously broken/unparseable cert to the config:

        <cert>
                <refid>6035688b64c82</refid>
                <descr><![CDATA[Broken]]></descr>
                <crt>broken</crt>
                <prv></prv>
        </cert>

Before this fix, it will generate a PHP error and cause other problems (JS breaks, can't hit menus, no way to remove the cert, etc).

After this fix, the cert will display "unknown" and nothing else breaks. No PHP error, can delete the cert, etc.

#12 Updated by Jim Pingle about 1 month ago

  • Subject changed from Invalid certificate date can lead to a PHP crash to Invalid certificate data can cause a PHP error

Updating subject for release notes.

#13 Updated by Max Leighton 24 days ago

  • Status changed from Feedback to Resolved

Tested on

2.5.1-RC (amd64)
built on Thu Mar 18 03:04:03 EDT 2021
FreeBSD 12.2-STABLE

It works. The broken cert is now able to be deleted, navigation menus work, no PHP errors, etc. Marking the ticket back to resolved.

Also available in: Atom PDF