#68 从目录中加载额外的证书和crl。

2018-11-02 20:38:06 +08:00
parent d0ea605a5b
commit 668c1b3e52
10 changed files with 450 additions and 994 deletions
--- a/common/include/tfe_utils.h
+++ b/common/include/tfe_utils.h
@@ -6,6 +6,7 @@
 #pragma once
 #include <MESA/MESA_handle_logger.h>
 #include <time.h>
+#include <dirent.h> //scan_dir

 #define TFE_STRING_MAX			2048
 #define	TFE_PATH_MAX			256
@@ -156,5 +157,8 @@ static inline unsigned char* tfe_hexdump(unsigned char *dst, unsigned char *src,

    return dst;
 }
+int tfe_scandir(const char *dir, struct dirent ***namelist,
+              int(*filter)(const struct dirent *),
+              int(*compar)(const void *, const void *));

 const char * tfe_version();
--- a/common/src/tfe_utils.cpp
+++ b/common/src/tfe_utils.cpp
@@ -73,4 +73,59 @@ char *tfe_thread_safe_ctime(const time_t *tp, char *buf, int len)
             month_str[month], day + 1, hour, min, sec, year);
    return buf;
 }
+//replacement of glibc scandir, to adapt dictator malloc wrap
+int tfe_scandir(const char *dir, struct dirent ***namelist,
+              int(*filter)(const struct dirent *),
+              int(*compar)(const void *, const void *))
+{
+	DIR * od;
+	int n = 0;
+	int ENLARGE_STEP=1024;
+	int DIR_ENT_SIZE=ENLARGE_STEP;
+	struct dirent ** list = NULL;
+	struct dirent * p;
+	struct dirent entry,*result;
+
+	if((dir == NULL) || (namelist == NULL))
+		return -1;
+
+	od = opendir(dir);
+	if(od == NULL)
+		return -1;
+    
+	list = (struct dirent **)malloc(DIR_ENT_SIZE*sizeof(struct dirent *));
+  
+  
+	while(0==readdir_r(od,&entry,&result))
+	{
+		if(result==NULL)
+		{
+			break;
+		}
+		if( filter && !filter(&entry))
+			continue;
+		
+		p = (struct dirent *)malloc(sizeof(struct dirent));
+		memcpy((void *)p,(void *)(&entry),sizeof(struct dirent));
+		list[n] = p;
+
+		n++;
+		if(n >= DIR_ENT_SIZE)
+		{
+			DIR_ENT_SIZE+=ENLARGE_STEP;
+			list=(struct dirent **)realloc((void*)list,DIR_ENT_SIZE*sizeof(struct dirent *));
+
+		}
+	} 
+
+	closedir(od); 
+
+	*namelist = list;
+
+	if(compar)
+	qsort((void *)*namelist,n,sizeof(struct dirent *),compar); 
+
+	return n; 
+   
+}

--- a/conf/tfe/tfe.conf
+++ b/conf/tfe/tfe.conf
@@ -4,9 +4,14 @@ uxdomain=/home/server_unixsocket_file
 ssl_max_version=tls12
 no_session_ticket=0
 log_master_key=1
+trusted_cert_file=./conf/tls-ca-bundle.pem
+trusted_cert_dir=./conf/trusted_storage
 key_log_file=./sslkeylog.log
+no_alpn=1

 [key_keeper]
+#Mode: debug - generate cert with ca_path, normal - generate cert with cert store
+#mode = normal
 mode = debug
 cert_store_host=192.168.11.100
 cert_store_port=9991
@@ -17,8 +22,9 @@ untrusted_ca_path=conf/mesalab-ca-untrust.pem
 passthrough_all_tcp=0

 [tcp]
-so_keepalive=1
+so_keepalive=0
 tcp_keepcnt=8
 tcp_keepintvl=15
 tcp_keepidle=30
 tcp_user_timeout=30
+
--- a/conf/tfe/tls-ca-bundle.pem
+++ b/conf/tfe/tls-ca-bundle.pem
--- a/conf/tfe/trusted_storage/DigiCertSHA2SecureServerCA.pem
+++ b/conf/tfe/trusted_storage/DigiCertSHA2SecureServerCA.pem
@@ -0,0 +1,27 @@
+-----BEGIN CERTIFICATE-----
+MIIElDCCA3ygAwIBAgIQAf2j627KdciIQ4tyS8+8kTANBgkqhkiG9w0BAQsFADBh
+MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
+d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
+QTAeFw0xMzAzMDgxMjAwMDBaFw0yMzAzMDgxMjAwMDBaME0xCzAJBgNVBAYTAlVT
+MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxJzAlBgNVBAMTHkRpZ2lDZXJ0IFNIQTIg
+U2VjdXJlIFNlcnZlciBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
+ANyuWJBNwcQwFZA1W248ghX1LFy949v/cUP6ZCWA1O4Yok3wZtAKc24RmDYXZK83
+nf36QYSvx6+M/hpzTc8zl5CilodTgyu5pnVILR1WN3vaMTIa16yrBvSqXUu3R0bd
+KpPDkC55gIDvEwRqFDu1m5K+wgdlTvza/P96rtxcflUxDOg5B6TXvi/TC2rSsd9f
+/ld0Uzs1gN2ujkSYs58O09rg1/RrKatEp0tYhG2SS4HD2nOLEpdIkARFdRrdNzGX
+kujNVA075ME/OV4uuPNcfhCOhkEAjUVmR7ChZc6gqikJTvOX6+guqw9ypzAO+sf0
+/RR3w6RbKFfCs/mC/bdFWJsCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8C
+AQAwDgYDVR0PAQH/BAQDAgGGMDQGCCsGAQUFBwEBBCgwJjAkBggrBgEFBQcwAYYY
+aHR0cDovL29jc3AuZGlnaWNlcnQuY29tMHsGA1UdHwR0MHIwN6A1oDOGMWh0dHA6
+Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RDQS5jcmwwN6A1
+oDOGMWh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEdsb2JhbFJvb3RD
+QS5jcmwwPQYDVR0gBDYwNDAyBgRVHSAAMCowKAYIKwYBBQUHAgEWHGh0dHBzOi8v
+d3d3LmRpZ2ljZXJ0LmNvbS9DUFMwHQYDVR0OBBYEFA+AYRyCMWHVLyjnjUY4tCzh
+xtniMB8GA1UdIwQYMBaAFAPeUDVW0Uy7ZvCj4hsbw5eyPdFVMA0GCSqGSIb3DQEB
+CwUAA4IBAQAjPt9L0jFCpbZ+QlwaRMxp0Wi0XUvgBCFsS+JtzLHgl4+mUwnNqipl
+5TlPHoOlblyYoiQm5vuh7ZPHLgLGTUq/sELfeNqzqPlt/yGFUzZgTHbO7Djc1lGA
+8MXW5dRNJ2Srm8c+cftIl7gzbckTB+6WohsYFfZcTEDts8Ls/3HB40f/1LkAtDdC
+2iDJ6m6K7hQGrn2iWZiIqBtvLfTyyRRfJs8sjX7tN8Cp1Tm5gr8ZDOo0rwAhaPit
+c+LJMto4JQtV05od8GiG7S5BNO98pVAdvzr508EIDObtHopYJeS4d60tbvVS3bR0
+j6tJLp07kzQoH3jOlOrHvdPJbRzeXDLz
+-----END CERTIFICATE-----
--- a/conf/tfe/trusted_storage/ssca-sha2-g5.crl
+++ b/conf/tfe/trusted_storage/ssca-sha2-g5.crl
--- a/platform/include/internal/ssl_trusted_cert_storage.h
+++ b/platform/include/internal/ssl_trusted_cert_storage.h
@@ -8,7 +8,7 @@ enum ssl_X509_obj_type
 };

 struct ssl_trusted_cert_storage;
-struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle);
+struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir);
 void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage);

 int ssl_trusted_cert_storage_verify_conn(struct ssl_trusted_cert_storage* storage, const SSL * ssl, char* reason, size_t n_reason);
--- a/platform/src/ssl_stream.cpp
+++ b/platform/src/ssl_stream.cpp
@@ -132,7 +132,9 @@ struct ssl_mgr
 	char * crl_url;

 	uint8_t ssl_mode_release_buffers;
-	char trust_CA_file[TFE_PATH_MAX];
+	char trusted_cert_file[TFE_PATH_MAX];
+	char trusted_cert_dir[TFE_PATH_MAX];
+
 	char crl_file[TFE_PATH_MAX];

 	struct ssl_trusted_cert_storage * trust_CA_store;
@@ -565,20 +567,17 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
 		goto error_out;
 	}
 	
-	MESA_load_profile_string_def(ini_profile, section, "trust_CA_file", mgr->trust_CA_file, sizeof(mgr->trust_CA_file),
+	MESA_load_profile_string_def(ini_profile, section, "trusted_cert_file", mgr->trusted_cert_file, sizeof(mgr->trusted_cert_file),
 		"/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem");
 	
-	mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trust_CA_file);
+	MESA_load_profile_string_def(ini_profile, section, "trusted_cert_dir", mgr->trusted_cert_dir, sizeof(mgr->trusted_cert_dir),
+		"./conf/trusted_storage");
+	mgr->trust_CA_store = ssl_trusted_cert_storage_create(mgr->trusted_cert_file, mgr->trusted_cert_dir);
 	if (mgr->trust_CA_store == NULL)
 	{
 		TFE_LOG_ERROR(logger, "Failed at creating X509_STORE");
 		goto error_out;
 	}
-	MESA_load_profile_string_def(ini_profile, section, "crl_file", mgr->crl_file, sizeof(mgr->crl_file), "");
-	if(strlen(mgr->crl_file)>0)
-	{
-		ssl_trusted_cert_storage_add(mgr->trust_CA_store, SSL_X509_OBJ_CRL, mgr->crl_file);
-	}

 	memcpy(mgr->ssl_session_context, "mesa-tfe", sizeof(mgr->ssl_session_context));

@@ -941,23 +940,27 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 	struct ssl_stream * s_stream = ctx->s_stream;
 	struct ssl_mgr* mgr=s_stream->mgr;
 	SSL_SESSION * ssl_sess = NULL;
-	char error_string[TFE_STRING_MAX];
+	char error_str[TFE_STRING_MAX];
+	const char* sni=s_stream->client_hello->sni?s_stream->client_hello->sni:"null";

 	if (events & BEV_EVENT_ERROR)
 	{
 		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));
 		ssl_stream_log_error(bev, CONN_DIR_UPSTREAM, ctx->mgr->logger);
-		promise_failed(p, FUTURE_ERROR_EXCEPTION, "connect to original server failed.");
+		snprintf(error_str, sizeof(error_str), "connect to original server failed : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_EOF)
 	{		
 		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));		
-		promise_failed(p, FUTURE_ERROR_EXCEPTION, "original server closed.");
+		snprintf(error_str, sizeof(error_str), "original server closed : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_TIMEOUT)
 	{
 		ATOMIC_INC(&(ctx->mgr->stat_val[SSL_UP_ERR]));		
-		promise_failed(p, FUTURE_ERROR_TIMEOUT, NULL);
+		snprintf(error_str, sizeof(error_str), "timeout : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_TIMEOUT, error_str);
 	}
 	else if(events & BEV_EVENT_CONNECTED)
 	{		
@@ -967,7 +970,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 		if(!SSL_session_reused(s_stream->ssl))
 		{
 			s_stream->is_peer_cert_verify_passed = ssl_trusted_cert_storage_verify_conn(s_stream->mgr->trust_CA_store, 
-													s_stream->ssl, error_string, sizeof(error_string));
+													s_stream->ssl, error_str, sizeof(error_str));
 			if(s_stream->is_peer_cert_verify_passed)
 			{
 				//ONLY verified session is cacheable.
@@ -980,7 +983,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events,
 			{
 				ATOMIC_INC(&(mgr->stat_val[SSL_FAKE_CRT]));
 				char* addr_str=tfe_string_addr_create_by_fd(ctx->fd_upstream, CONN_DIR_UPSTREAM);
-				TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_string);
+				TFE_LOG_INFO(mgr->logger, "Fake Cert %s %s : %s", addr_str, ctx->s_stream->client_hello->sni, error_str);
 				free(addr_str);
 			}
 		}
@@ -1430,22 +1433,26 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events,
 	struct ssl_stream * s_stream = ctx->downstream;
 	struct ssl_mgr* mgr=s_stream->mgr;
 	SSL_SESSION * ssl_sess = NULL;
-
+	const char* sni=ctx->origin_ssl->client_hello->sni?ctx->origin_ssl->client_hello->sni:"null";
+	char error_str[TFE_STRING_MAX]={0};
 	if (events & BEV_EVENT_ERROR)
 	{
 		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
 		ssl_stream_log_error(bev, CONN_DIR_DOWNSTREAM, mgr->logger);
-		promise_failed(p, FUTURE_ERROR_EXCEPTION, "connect to client failed.");
+		snprintf(error_str, sizeof(error_str), "connect to client failed : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_EOF)
 	{		
 		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));		
-		promise_failed(p, FUTURE_ERROR_EXCEPTION, "client side closed.");
+		snprintf(error_str, sizeof(error_str), "client side closed : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_EXCEPTION, error_str);
 	}
 	else if(events & BEV_EVENT_TIMEOUT)
 	{
 		ATOMIC_INC(&(mgr->stat_val[SSL_DOWN_ERR]));
-		promise_failed(p, FUTURE_ERROR_TIMEOUT, NULL);
+		snprintf(error_str, sizeof(error_str), "timeout : sni=%s", sni);
+		promise_failed(p, FUTURE_ERROR_TIMEOUT, error_str);
 	}
 	else if(events & BEV_EVENT_CONNECTED)
 	{		
--- a/platform/src/ssl_trusted_cert_storage.cpp
+++ b/platform/src/ssl_trusted_cert_storage.cpp
@@ -26,80 +26,11 @@ static void free_ssl_x509_obj(void* data)
 }
 struct ssl_trusted_cert_storage
 {
-	char* pem_bundle;
+	char* pem_bundle, *pem_dir;
    MESA_htable_handle hash_table;
 	pthread_rwlock_t rwlock;
 	X509_STORE* effective_store;
 };
-static X509_STORE* _X509_store_create(const char* pem_bundle)
-{
-	int ret=0;
-	X509_STORE* store=X509_STORE_new();
-	if (store == NULL)
-	{
-		return NULL;
-	}
-
-	ret = X509_STORE_set_default_paths(store);
-	if (ret == 0)
-	{
-		return NULL;
-	}
-	ret = X509_STORE_load_locations(store, pem_bundle, NULL);
-	if (ret == 0)
-	{
-		return NULL;
-	}
-	X509_VERIFY_PARAM *param=NULL;
-	param = X509_VERIFY_PARAM_new();
-	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
-	X509_STORE_set1_param(store, param);
-	X509_VERIFY_PARAM_free(param);
-	return store;
-}
-static MESA_htable_handle _create_mesa_htable(void)
-{
-	int ret=0;
-	MESA_htable_handle htable = MESA_htable_born();
-	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_SCREEN_PRINT_CTRL, 0);
-	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_THREAD_SAFE, 0);
-	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_MUTEX_NUM, 16);
-	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_HASH_SLOT_SIZE, 1024*4);
-	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_HASH_MAX_ELEMENT_NUM, 0);
-	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_EXPIRE_TIME, 0);
-	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_ELIMIMINATE_TYPE,
-		HASH_ELIMINATE_ALGO_FIFO);
-	ret = __wrapper_MESA_htable_set_opt_func(htable, MHO_CBFUN_DATA_FREE,
-		(void *)free_ssl_x509_obj, sizeof(&free_ssl_x509_obj));
-	//ret = __wrapper_MESA_htable_set_opt(htable, MHO_CBFUN_DATA_EXPIRE_NOTIFY,
-	//	(void *)key_keeper_verify_cb);
-	ret = MESA_htable_mature(htable);
-	return htable;
-}
-struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle)
-{
-	int ret=0;
-	struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1);
-	storage->effective_store=_X509_store_create(pem_bundle);
-	if (storage->effective_store == NULL)
-	{
-		return NULL;
-	}
-
-	storage->pem_bundle=tfe_strdup(pem_bundle);
-	
-	storage->hash_table=_create_mesa_htable();
-	pthread_rwlock_init(&(storage->rwlock), NULL);
-	
-	return storage;
-	
-
-}
-void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage)
-{
-	return;
-}
-
 static int _X509_add_cert_or_crl_add(X509_STORE* store,  enum ssl_X509_obj_type type, const char* filename)
 {
 	 int ret=0;
@@ -146,6 +77,112 @@ static int _X509_add_cert_or_crl_add(X509_STORE* store,  enum ssl_X509_obj_type
 	 BIO_free(bio);
 	 return 1;
 }
+
+ static int filter_pem_fn(const struct dirent * ent)
+ {
+ 	const char* fn_suffix=".pem";
+ 	if(strlen(ent->d_name)< strlen(fn_suffix))
+	{
+		return 0;
+	}
+	if(0!=strcmp(ent->d_name+strlen(ent->d_name)-strlen(fn_suffix), fn_suffix))
+	{
+		return 0;
+	}
+	return 1;
+ }
+
+static X509_STORE* _X509_store_create(const char* pem_bundle, const char* pem_dir)
+{
+	int ret=0, n=0, i=0;
+	
+	struct dirent **namelist;
+	X509_STORE* store=X509_STORE_new();
+	char path[TFE_STRING_MAX]={0};
+	if (store == NULL)
+	{
+		return NULL;
+	}
+
+	ret = X509_STORE_set_default_paths(store);
+	if (ret == 0)
+	{
+		return NULL;
+	}
+	ret = X509_STORE_load_locations(store, pem_bundle, NULL);
+	if (ret == 0)
+	{
+		return NULL;
+	}
+	X509_VERIFY_PARAM *param=NULL;
+	param = X509_VERIFY_PARAM_new();
+	X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
+	X509_STORE_set1_param(store, param);
+	X509_VERIFY_PARAM_free(param);
+
+	n=tfe_scandir(pem_dir, &namelist, NULL, (int (*)(const void*, const void*))alphasort);
+	
+	for(i=0;i<n;i++)
+	{
+		snprintf(path, sizeof(path), "%s/%s",pem_dir, namelist[i]->d_name);
+		if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".pem"), ".pem"))
+		{
+			_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CERT, path);
+		}
+		else if(0==strcasecmp(namelist[i]->d_name+strlen(namelist[i]->d_name)-strlen(".crl"), ".crl"))
+		{
+			_X509_add_cert_or_crl_add(store, SSL_X509_OBJ_CRL, path);
+		}
+		free(namelist[i]);
+	}
+	free(namelist);
+
+	return store;
+}
+static MESA_htable_handle _create_mesa_htable(void)
+{
+	int ret=0;
+	MESA_htable_handle htable = MESA_htable_born();
+	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_SCREEN_PRINT_CTRL, 0);
+	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_THREAD_SAFE, 0);
+	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_MUTEX_NUM, 16);
+	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_HASH_SLOT_SIZE, 1024*4);
+	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_HASH_MAX_ELEMENT_NUM, 0);
+	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_EXPIRE_TIME, 0);
+	ret = __wrapper_MESA_htable_set_opt_int(htable, MHO_ELIMIMINATE_TYPE,
+		HASH_ELIMINATE_ALGO_FIFO);
+	ret = __wrapper_MESA_htable_set_opt_func(htable, MHO_CBFUN_DATA_FREE,
+		(void *)free_ssl_x509_obj, sizeof(&free_ssl_x509_obj));
+	//ret = __wrapper_MESA_htable_set_opt(htable, MHO_CBFUN_DATA_EXPIRE_NOTIFY,
+	//	(void *)key_keeper_verify_cb);
+	ret = MESA_htable_mature(htable);
+	return htable;
+}
+struct ssl_trusted_cert_storage* ssl_trusted_cert_storage_create(const char* pem_bundle, const char* pem_dir)
+{
+	int ret=0;
+	struct ssl_trusted_cert_storage* storage=ALLOC(struct ssl_trusted_cert_storage, 1);
+	storage->effective_store=_X509_store_create(pem_bundle, pem_dir);
+	if (storage->effective_store == NULL)
+	{
+		return NULL;
+	}
+
+	storage->pem_bundle=tfe_strdup(pem_bundle);
+	storage->pem_dir=tfe_strdup(pem_dir);
+	storage->hash_table=_create_mesa_htable();
+	pthread_rwlock_init(&(storage->rwlock), NULL);
+	
+	return storage;
+	
+
+}
+void ssl_trusted_cert_storage_destroy(struct ssl_trusted_cert_storage* storage)
+{
+	return;
+}
+
+
 int ssl_trusted_cert_storage_add(struct ssl_trusted_cert_storage* storage, enum ssl_X509_obj_type type, const char* filename)
 {

@@ -198,7 +235,7 @@ int ssl_trusted_cert_storage_del(struct ssl_trusted_cert_storage* storage, enum
 		ret=-1;
 		goto error_out;
 	}
-	temp_store=_X509_store_create(storage->pem_bundle);
+	temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir);
 	MESA_htable_iterate(storage->hash_table, cert_storage_htable_traverse_cb, temp_store);
 	X509_STORE_free(storage->effective_store);
 	storage->effective_store=temp_store;
@@ -215,7 +252,7 @@ void ssl_trusted_cert_storage_reset(struct ssl_trusted_cert_storage* storage)
 	MESA_htable_destroy(storage->hash_table, NULL);
 	
 	storage->hash_table=_create_mesa_htable();
-	temp_store=_X509_store_create(storage->pem_bundle);
+	temp_store=_X509_store_create(storage->pem_bundle, storage->pem_dir);

 	pthread_rwlock_wrlock(&(storage->rwlock));
 	X509_STORE_free(storage->effective_store);
--- a/plugin/business/pangu-http/src/pangu_web_cache.cpp
+++ b/plugin/business/pangu-http/src/pangu_web_cache.cpp
@@ -329,7 +329,7 @@ void cached_meta_set(struct cached_meta* meta, enum CACHE_RESULT_TYPE type, cons
 			break;
 		case RESULT_TYPE_USERTAG:
 			meta->last_modified=read_http1_hdr(data_frag, "Last-Modified");
-			if(0==strcasecmp(meta->last_modified, "Thu, 01 Jan 1970 00:00:00 GMT"))
+			if(meta->last_modified!=NULL && 0==strcasecmp(meta->last_modified, "Thu, 01 Jan 1970 00:00:00 GMT"))
 			{
 				FREE(&(meta->last_modified));
 			}
@@ -704,7 +704,6 @@ void web_cache_update(struct cache_update_context* ctx, const unsigned char * bo
 }
 void web_cache_update_end(struct cache_update_context* ctx)
 {
-	fprintf(stderr, "------- web_cache_update_end , %p\n", ctx);

 	tango_cache_update_end(ctx->write_ctx);
 	ATOMIC_DEC(&(ctx->ref_cache_handle->stat_val[STAT_CACHE_UPLOADING]));