On Tue, Jun 06, 2017 at 08:41:04PM +0000, Florian Obser wrote: > On Tue, Jun 06, 2017 at 09:18:25PM +1000, Jonathan Gray wrote: > > when using a server.key with a passphrase, ie > > > > openssl genrsa -aes256 -out /etc/ssl/private/server.key 2048 > > > > server "default" { > > listen on * port 80 > > listen on * tls port 443 > > directory { auto index } > > } > > > > types { > > include "/usr/share/misc/mime.types" > > text/plain "log" > > } > > > > httpd(96368): syscall 5 "wpath" > > httpd(87490): syscall 5 "wpath" > > httpd(30649): syscall 5 "wpath" > > This very much sounds like "Doctor! Doctor! If I do this it hurts!" > > In case anyone wonders if adding wpath to the pledge would solve this, > it is not the right solution, also it will not get you very far since > libcrypto is trying to dick around with /dev/tty. You will probably be > killed shortly afterwards because of missing tty pledge... > > I'm wondering if relayd is handling this better. If yes, we should > bring over the crypto engine, if no we should fix relayd and then > bring over the crypto engine.
does libtls have some option to tell libcrypto to not try interactive asking password ? it seems to be the underline problem. > > > > #0 0x0000022b9356bc0a in _thread_sys_open () at {standard input}:5 > > #1 0x0000022b935d6299 in *_libc_open_cancel (path=Variable "path" is not > > available. > > ) at /usr/src/lib/libc/sys/w_open.c:36 > > #2 0x0000022b9359a642 in *_libc_fopen (file=0x22b2db5c9be "/dev/tty", > > mode=Variable "mode" is not available. > > ) at /usr/src/lib/libc/stdio/fopen.c:54 > > #3 0x0000022b2d92d26f in open_console (ui=Variable "ui" is not available. > > ) at /usr/src/lib/libcrypto/ui/ui_openssl.c:304 > > #4 0x0000022b2d9e65da in UI_process (ui=0x22b217187c0) at > > /usr/src/lib/libcrypto/ui/ui_lib.c:455 > > #5 0x0000022b2d954b8f in EVP_read_pw_string_min (buf=0x7f7fffff19f0 "", > > min=4, len=Variable "len" is not available. > > ) at /usr/src/lib/libcrypto/evp/evp_key.c:117 > > #6 0x0000022b2d9dc018 in PEM_def_callback (buf=0x7f7fffff19f0 "", > > num=1024, w=0, key=Variable "key" is not available. > > ) at /usr/src/lib/libcrypto/pem/pem_lib.c:113 > > #7 0x0000022b2d9dc2c4 in PEM_do_header (cipher=0x7f7fffff1ec0, > > data=0x22bc09b6000 > > "d\vQ\212\222Åííó\035\006\227\221\004ÛÇ.H\033\225YͧÄ\nmKql}1i\034PÇåz\033a@Ä\232Ä\220Nÿ\037ÁAPfVs\005r\226ñ\030\2273Tã > > W\t\201î ý\217Í+\2033¼괸^\226D\2340z:-+g\226´ã*à\034", plen=0x7f7fffff1ee8, > > callback=Variable "callback" is not available. > > ) > > at /usr/src/lib/libcrypto/pem/pem_lib.c:447 > > #8 0x0000022b2d9dc64c in PEM_bytes_read_bio (pdata=0x7f7fffff1f68, > > plen=0x7f7fffff1f60, pnm=0x7f7fffff1f78, > > name=0x22b2db5dcb5 "ANY PRIVATE KEY", bp=0x22b514c9e00, cb=0, u=0x0) at > > /usr/src/lib/libcrypto/pem/pem_lib.c:296 > > #9 0x0000022b2d93112f in PEM_read_bio_PrivateKey (bp=Variable "bp" is not > > available. > > ) at /usr/src/lib/libcrypto/pem/pem_pkey.c:90 > > #10 0x0000022b6ef43b62 in tls_configure_ssl_keypair (ctx=0x22b514c9e80, > > ssl_ctx=0x22bcc86ce00, keypair=0x22b9294df00, required=Variable "required" > > is not available. > > ) > > at /usr/src/lib/libtls/tls.c:347 > > #11 0x0000022b6ef42135 in tls_configure_server_ssl (ctx=0x22b514c9e80, > > ssl_ctx=0x22b514c9eb8, keypair=0x22b9294df00) > > at /usr/src/lib/libtls/tls_server.c:261 > > #12 0x0000022b6ef427a1 in tls_configure_server (ctx=0x22b514c9e80) at > > /usr/src/lib/libtls/tls_server.c:361 > > #13 0x0000022920b1413c in server_tls_init (srv=0x22bd885d000) at > > /usr/src/usr.sbin/httpd/server.c:297 > > #14 0x0000022920b1431c in server_launch () at > > /usr/src/usr.sbin/httpd/server.c:359 > > #15 0x0000022920b16759 in server_dispatch_parent (fd=3, p=0x22920d301c0, > > imsg=0x7f7fffff25a0) at /usr/src/usr.sbin/httpd/server.c:1289 > > #16 0x0000022920b12f99 in proc_dispatch (fd=3, event=2, arg=0x22c12810000) > > at /usr/src/usr.sbin/httpd/proc.c:652 > > #17 0x0000022c070a0808 in event_base_loop (base=0x22b94f5d000, > > flags=Variable "flags" is not available. > > ) at /usr/src/lib/libevent/event.c:350 > > #18 0x0000022920b12db4 in proc_run (ps=0x22c0f506000, p=0x22920d30080, > > procs=0x22920d301c0, nproc=2, run=0x22920b1424d <server_init>, > > arg=0x0) at /usr/src/usr.sbin/httpd/proc.c:594 > > #19 0x0000022920b137b1 in server (ps=0x22c0f506000, p=0x22920d30080) at > > /usr/src/usr.sbin/httpd/server.c:87 > > #20 0x0000022920b11da5 in proc_init (ps=0x22c0f506000, procs=0x22920d30080, > > nproc=2, argc=5, argv=0x7f7fffff2898, proc_id=PROC_SERVER) > > at /usr/src/usr.sbin/httpd/proc.c:249 > > #21 0x0000022920b0ac57 in main (argc=0, argv=0x7f7fffff2898) at > > /usr/src/usr.sbin/httpd/httpd.c:218 > > > > -- > I'm not entirely sure you are real. > -- Sebastien Marie