Fix ticket hash calculation for indirectly connected clients

refs #5450

diff --git a/lib/remote/jsonrpcconnection-pki.cpp b/lib/remote/jsonrpcconnection-pki.cpp
index 2d5ee5edb04fa3d066f29ca4122248246c715998..1bd68633f949cdb1c4fabd167ec5308b8545861a 100644 (file)
--- a/lib/remote/jsonrpcconnection-pki.cpp
+++ b/lib/remote/jsonrpcconnection-pki.cpp
@@ -118,11 +118,14 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
        boost::shared_ptr<X509> newcert;
        boost::shared_ptr<EVP_PKEY> pubkey;
        X509_NAME *subject;
+       String cn;
        Dictionary::Ptr message;
 
        if (!Utility::PathExists(GetIcingaCADir() + "/ca.key"))
                goto delayed_request;
 
+       cn = GetCertificateCN(cert);
+
        if (!signedByCA) {
                String salt = listener->GetTicketSalt();
 
@@ -131,9 +134,12 @@ Value RequestCertificateHandler(const MessageOrigin::Ptr& origin, const Dictiona
                if (salt.IsEmpty() || ticket.IsEmpty())
                        goto delayed_request;
 
-               String realTicket = PBKDF2_SHA1(origin->FromClient->GetIdentity(), salt, 50000);
+               String realTicket = PBKDF2_SHA1(cn, salt, 50000);
 
                if (ticket != realTicket) {
+                       Log(LogWarning, "JsonRpcConnection")
+                           << "Ticket for identity '" << cn << "' is invalid.";
+
                        result->Set("status_code", 1);
                        result->Set("error", "Invalid ticket.");
                        return result;