reverse-proxy/tasks/fix/log-root-cert-count.md at 159eeda266b09be8dad9549588656d1475559ddf

Files

glm-5.1 54f1725173 Decompose security review #003 findings into 17 fix tasks and 1 review task

Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:

Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.

Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.

Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.

Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.

Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).

Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.

2026-06-12 13:42:37 +00:00

1.8 KiB

Raw Blame History

id, name, status, depends_on, scope, risk, impact, level, review_findings

name

status

depends_on

scope

risk

impact

level

review_findings

fix/log-root-cert-count

Log system root certificate count at startup (S3)

pending

single

trivial

isolated

implementation

Description

root_certs() loads native certificates silently — only logs errors. If the system has zero root certificates (misconfigured CA bundle), all HTTPS upstream connections will fail with opaque TLS errors and no diagnostic message.

Changes Required

src/proxy/handler.rs — root_certs() function (lines 246-258):

Add an info-level log with cert count and warn if zero:

fn root_certs() -> rustls::RootCertStore {
    let mut roots = rustls::RootCertStore::empty();
    let result = rustls_native_certs::load_native_certs();
    for cert in result.certs {
        roots.add(cert).ok();
    }
    let cert_count = roots.len();
    let error_count = result.errors.len();
    if cert_count == 0 {
        warn!(certs_loaded = cert_count, errors = error_count,
            "no system root certificates loaded — HTTPS upstream connections will fail");
    } else {
        info!(certs_loaded = cert_count, errors = error_count,
            "loaded system root certificates");
    }
    for err in &result.errors {
        warn!(error = %err, "failed to load native certificate");
    }
    roots
}

Acceptance Criteria

Info-level log with cert count when certs > 0
Warn-level log when cert count is 0
Error count included in log output
Individual cert load errors still logged at warn level
cargo test passes
cargo clippy passes with no warnings

References

docs/reviews/003-security-and-bug-review.md — S3 finding
src/proxy/handler.rs — root_certs() function

Notes

To be filled on completion

Summary