Hi,
The previous commit to libtls makes syslogd abort due to pledge if
certification verification is turned off. This happens in the
chrooted child process.
87878 syslogd CALL open(0x2d203ce4,0)
87878 syslogd NAMI "/etc/ssl/cert.pem"
87878 syslogd PLDG open, "rpath", errno 1 Operation not permitted
87878 syslogd PSIG SIGABRT SIG_DFL code <-538976289>
We can either preload the cert in syslogd even if verification is
turned off.
Index: usr.sbin/syslogd/syslogd.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.225
diff -u -p -r1.225 syslogd.c
--- usr.sbin/syslogd/syslogd.c 27 Dec 2016 19:16:24 - 1.225
+++ usr.sbin/syslogd/syslogd.c 29 Dec 2016 22:57:41 -
@@ -590,16 +590,14 @@ main(int argc, char *argv[])
if (NoVerify) {
tls_config_insecure_noverifycert(client_config);
tls_config_insecure_noverifyname(client_config);
- } else {
- if (tls_config_set_ca_file(client_config,
- CAfile) == -1) {
- logerrortlsconf("Load client TLS CA failed",
- client_config);
- /* avoid reading default certs in chroot */
- tls_config_set_ca_mem(client_config, "", 0);
- } else
- logdebug("CAfile %s\n", CAfile);
}
+ if (tls_config_set_ca_file(client_config, CAfile) == -1) {
+ logerrortlsconf("Load client TLS CA failed",
+ client_config);
+ /* avoid reading default certs in chroot */
+ tls_config_set_ca_mem(client_config, "", 0);
+ } else
+ logdebug("CAfile %s\n", CAfile);
if (ClientCertfile && ClientKeyfile) {
if (tls_config_set_cert_file(client_config,
ClientCertfile) == -1)
Or do not call tls_configure_ssl_verify() if verification is turned
off.
Index: lib/libtls/tls_client.c
===
RCS file: /data/mirror/openbsd/cvs/src/lib/libtls/tls_client.c,v
retrieving revision 1.38
diff -u -p -r1.38 tls_client.c
--- lib/libtls/tls_client.c 26 Dec 2016 16:20:58 - 1.38
+++ lib/libtls/tls_client.c 29 Dec 2016 22:56:23 -
@@ -195,7 +195,9 @@ tls_connect_common(struct tls *ctx, cons
}
}
- if (tls_configure_ssl_verify(ctx, ctx->ssl_ctx, SSL_VERIFY_PEER) == -1)
+ if (ctx->config->verify_cert &&
+ (tls_configure_ssl_verify(ctx, ctx->ssl_ctx,
+SSL_VERIFY_PEER) == -1))
goto err;
if (SSL_CTX_set_tlsext_status_cb(ctx->ssl_ctx, tls_ocsp_verify_cb) !=
1) {
I would prefer the fix in libtls as
- this problem may also affect other daemons
- avoid to do unnecsessary stuff
- syslogd could run on a system without cert.pem
comments? ok?
bluhm