On May 22, 2018, at 5:05 AM, Hoggins! fuckspam@wheres5.com wrote:
I think I see the bug:
-- non working system : Fedora 28, python2-libs-2.7.15-1.fc28.x86_64
<snip> while True: cptr = m2.x509_read_pem(bio._ptr()) if not cptr: break chain.append(X509.X509(cptr, _pyfree=1))
You're telling Python it owns the certificate object reference and should free it when no longer needed. Then add the certificate to the chain, but this call may not bump the certificate reference count.
print chain
Here you print the chain. And the certificate itself goes out of scope and is freed, the chain no longer holds a valid reference.
If I put the "print chain" inside the while loop, I get the correct chain array (one pass with only one item, and second pass with two items, output is as expected).
*BUT*
<snip> while True: cptr = m2.x509_read_pem(bio._ptr()) if not cptr: break chain.append(X509.X509(cptr, _pyfree=1)) print chain if not chain: <snip>I the "print chain" is placed after the loop, *it does not print anything*, so the script will eventually complain about "chain" not being defined.
I think all the certificates are freed leaving no valid references in the chain.
In any case, you should fix your TLSA records to be correct first, and then fix the script... Perhaps "_pyfree = 0" would work better. If the script does not run forever, but is just a cron job, freeing memory just slows it down...