Validation of certificate chains will fail before dcpomatic_setup()

is called, as OpenSSL has not yet been set up.

Make sure that these failures only raise a Bad() (which nobody is yet
listening to) rather than throwing an exception which gets caught
and reported as a failed-to-load config.

If none of the OpenSSL stuff is working chain_valid() will return false
but private_key_valid() will throw an exception (as it tries to get the
leaf certificate, causing a validity check).

diff --git a/src/lib/config.cc b/src/lib/config.cc
index ea2a579398b918531f57f3e674cac8fe0859e78d..74f916b21e49e52fa26ba224ccdb9b062e2f4059 100644 (file)
--- a/src/lib/config.cc
+++ b/src/lib/config.cc
@@ -487,11 +487,11 @@ try
                }
        }
 
-       if (!_signer_chain->private_key_valid() || !_signer_chain->chain_valid()) {
+       if (!_signer_chain->chain_valid() || !_signer_chain->private_key_valid()) {
                bad = BAD_SIGNER_INCONSISTENT;
        }
 
-       if (!_decryption_chain->private_key_valid() || !_decryption_chain->chain_valid()) {
+       if (!_decryption_chain->chain_valid() || !_decryption_chain->private_key_valid()) {
                bad = BAD_DECRYPTION_INCONSISTENT;
        }
 

diff --git a/src/tools/dcpomatic.cc b/src/tools/dcpomatic.cc
index 73e215c045d8406e7b8e077f154df5e4a8f6705c..508390a38986dce5161aaab445ddb925c26df55c 100644 (file)
--- a/src/tools/dcpomatic.cc
+++ b/src/tools/dcpomatic.cc
@@ -1506,6 +1506,10 @@ private:
                        */
                        Config::drop ();
 
+                       /* We only look out for bad configuration from here on, as before
+                          dcpomatic_setup() we haven't got OpenSSL ready so there will be
+                          incorrect certificate chain validity errors.
+                       */
                        Config::Bad.connect (boost::bind(&App::config_bad, this, _1));
 
                        _frame = new DOMFrame (_("DCP-o-matic"));