Hello Viktor, I have published the correct TLSA records (generated with my "old" system) this morning, they are fixed for now.
Le 22/05/2018 à 16:11, Viktor Dukhovni a écrit : > >> On May 22, 2018, at 5:05 AM, Hoggins! <[email protected]> wrote: >> > I think I see the bug: > >> -- non working system : Fedora 28, python2-libs-2.7.15-1.fc28.x86_64 >> >> <snip> >> while True: >> cptr = m2.x509_read_pem(bio._ptr()) >> if not cptr: >> break >> chain.append(X509.X509(cptr, _pyfree=1)) > You're telling Python it owns the certificate object reference > and should free it when no longer needed. Then add the certificate > to the chain, but this call may not bump the certificate reference > count. > >> print chain > Here you print the chain. And the certificate itself goes out of > scope and is freed, the chain no longer holds a valid reference. Actually when inside the loop, chain is not empty, it's only outside of it that it seems to be freed. > >> If I put the "print chain" inside the while loop, I get the correct >> chain array (one pass with only one item, and second pass with two >> items, output is as expected). >> >> *BUT* >> >> <snip> >> while True: >> cptr = m2.x509_read_pem(bio._ptr()) >> if not cptr: >> break >> chain.append(X509.X509(cptr, _pyfree=1)) >> print chain >> if not chain: >> <snip> >> >> I the "print chain" is placed after the loop, *it does not print >> anything*, so the script will eventually complain about "chain" not >> being defined. > I think all the certificates are freed leaving no valid > references in the chain. > > In any case, you should fix your TLSA records to be correct first, > and then fix the script... Perhaps "_pyfree = 0" would work better. > If the script does not run forever, but is just a cron job, freeing > memory just slows it down... Changing _pyfree=1 to _pyfree=0 did not help, unfortunately. >
signature.asc
Description: OpenPGP digital signature
