Hi,
The following (and similar invocations) gets SIGABRT'd:
openssl s_time -connect openbsd.org:443
BIO_set_conn_hostname(3), or whatever BIO_ctrl(3) is doing
underneath, tries to resolve your target host and the process
gets signaled when it enters socket(2).
Adding "dns" to the pledge(2) promise corrects this.
It looks like this has been broken since ~2015 but I have no
release machines handy to confirm.
--
Scott Cheloha
Index: usr.bin/openssl/s_time.c
===================================================================
RCS file: /cvs/src/usr.bin/openssl/s_time.c,v
retrieving revision 1.17
diff -u -p -r1.17 s_time.c
--- usr.bin/openssl/s_time.c 20 Jan 2017 08:57:12 -0000 1.17
+++ usr.bin/openssl/s_time.c 1 Nov 2017 23:30:23 -0000
@@ -254,7 +254,7 @@ s_time_main(int argc, char **argv)
int ver;
if (single_execution) {
- if (pledge("stdio rpath inet", NULL) == -1) {
+ if (pledge("stdio rpath inet dns", NULL) == -1) {
perror("pledge");
exit(1);
}
