Skip to content

Log certificate errors in isCertValid (OpenSSL 4.0 only)#4064

Merged
madolson merged 1 commit into
valkey-io:unstablefrom
pkhartsk:log-cert-errs-openssl4
Jul 1, 2026
Merged

Log certificate errors in isCertValid (OpenSSL 4.0 only)#4064
madolson merged 1 commit into
valkey-io:unstablefrom
pkhartsk:log-cert-errs-openssl4

Conversation

@pkhartsk

@pkhartsk pkhartsk commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

If the cert is not yet valid or expired, no extra logs are output and there are no changes.

But if the cert's notBefore or notAfter fields are invalid, a warning is issued.

Changed also due to the previous logging code being unreachable.

Follow-up of #4016

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

isCertValid() in the OpenSSL 4.0+ path now logs separate warnings for X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD and X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD when X509_check_certificate_times() fails. The function still returns false on these failures.

Changes

TLS Certificate Time Validation Logging

Layer / File(s) Summary
Distinct notBefore/notAfter error logging
src/tls.c
isCertValid() OpenSSL 4.0+ failure handling for X509_check_certificate_times() now emits distinct warnings for X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD and X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD, while preserving the existing false return.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

  • valkey-io/valkey#4016: Modifies the same isCertValid() OpenSSL 4.0+ path around X509_check_certificate_times() handling.

Suggested reviewers

  • zuiderkwast
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the change: OpenSSL 4.0 certificate error logging in isCertValid.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description check ✅ Passed The description matches the change set by describing the OpenSSL 4.0 certificate validation logging updates and unreachable logging fix.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
src/tls.c (1)

472-477: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Consider else if to make mutual exclusivity explicit.

X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD and X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD are distinct values, so both branches cannot fire for the same error. Using else if better expresses this intent and avoids a subtle maintenance hazard if additional branches are added later.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/tls.c` around lines 472 - 477, The two certificate error checks in the
tls.c logic are mutually exclusive, so make the branching explicit by changing
the second condition after the first `serverLog` call to `else if` in the error
handling around the `X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD` and
`X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD` cases. Keep the same log messages,
but ensure the `error` variable is handled in a single exclusive chain so future
maintenance doesn’t accidentally allow both branches to be considered
independently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/tls.c`:
- Around line 475-477: The notAfter error log in the tls.c branch is passing the
error value without consuming it in the format string. Update the serverLog call
in the notAfter handling path to include a %d placeholder so the error variable
is actually printed, matching the surrounding notBefore/error handling in the
same function.
- Around line 472-474: The serverLog call in the
X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD branch is passing error as a variadic
argument without a matching printf placeholder. Update the log message in the
tls.c certificate-validation path so the format string consumes error with %d or
%i, or remove the argument if it is not needed; use the serverLog/_serverLog
call site to locate it.

---

Nitpick comments:
In `@src/tls.c`:
- Around line 472-477: The two certificate error checks in the tls.c logic are
mutually exclusive, so make the branching explicit by changing the second
condition after the first `serverLog` call to `else if` in the error handling
around the `X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD` and
`X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD` cases. Keep the same log messages,
but ensure the `error` variable is handled in a single exclusive chain so future
maintenance doesn’t accidentally allow both branches to be considered
independently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro Plus

Run ID: d4919da4-31ec-4a5f-88cb-b131fa15dd27

📥 Commits

Reviewing files that changed from the base of the PR and between 689906a and 7c3630f.

📒 Files selected for processing (1)
  • src/tls.c

Comment thread src/tls.c Outdated
Comment thread src/tls.c Outdated
@pkhartsk pkhartsk force-pushed the log-cert-errs-openssl4 branch from 7c3630f to ebbdf9a Compare June 29, 2026 08:43
@codecov

codecov Bot commented Jun 29, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 76.67%. Comparing base (689906a) to head (2f9f91f).
⚠️ Report is 9 commits behind head on unstable.

Additional details and impacted files
@@             Coverage Diff              @@
##           unstable    #4064      +/-   ##
============================================
- Coverage     76.73%   76.67%   -0.06%     
============================================
  Files           162      162              
  Lines         81029    81029              
============================================
- Hits          62175    62130      -45     
- Misses        18854    18899      +45     
Files with missing lines Coverage Δ
src/tls.c 17.64% <ø> (ø)

... and 22 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@zuiderkwast zuiderkwast left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I misunderstood the return value of X509_check_certificate_times. This follow-up PR looks like what I expected. Reference: https://docs.openssl.org/master/man3/X509_check_certificate_times/#return-values

@sarthakaggarwal97 Sorry for merging the other PR to fast.

Comment thread src/tls.c Outdated
If the cert is not yet valid or expired, no extra logs are
output and there are no changes.

But if the cert's notBefore or notAfter fields are invalid,
a warning is issued.

Signed-off-by: Petr Khartskhaev <pkhartsk@redhat.com>
@pkhartsk pkhartsk force-pushed the log-cert-errs-openssl4 branch from ebbdf9a to 2f9f91f Compare June 29, 2026 10:28
@madolson madolson self-assigned this Jun 29, 2026

@sarthakaggarwal97 sarthakaggarwal97 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good.

@sarthakaggarwal97

Copy link
Copy Markdown
Contributor

@zuiderkwast I think we can merge this.

@sarthakaggarwal97 sarthakaggarwal97 moved this to To be backported in Valkey 9.0 Jun 29, 2026
@sarthakaggarwal97 sarthakaggarwal97 moved this to To be backported in Valkey 9.1 Jun 29, 2026
@zuiderkwast

Copy link
Copy Markdown
Contributor

@madolson I was going to merge this but I see you assigned yourself. Any concerns?

@zuiderkwast zuiderkwast added the to-be-merged Almost ready to merge label Jul 1, 2026
@madolson

madolson commented Jul 1, 2026

Copy link
Copy Markdown
Member

Oops, this was the pr I showed during the meeting for assigning. I thought I had removed myself.

@madolson madolson merged commit 64c73aa into valkey-io:unstable Jul 1, 2026
101 checks passed
@madolson madolson removed their assignment Jul 1, 2026
@zuiderkwast zuiderkwast removed the to-be-merged Almost ready to merge label Jul 1, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: To be backported
Status: To be backported

Development

Successfully merging this pull request may close these issues.

5 participants