subject:"syslogd TLS accept"

Re: syslogd TLS accept

2015-10-07 Thread Bob Beck

sure. ok

On Tuesday, 6 October 2015, Alexander Bluhm  wrote:

> On Fri, Sep 25, 2015 at 11:27:49PM +0200, Alexander Bluhm wrote:
> > If syslogd is started with -S, it accepts TLS connections to receive
> > encrypted traffic.  The server certificates are taken from /etc/ssl
> > like relayd does.
>
> Anyone?
>
> bluhm
>
> Index: usr.sbin/syslogd/evbuffer_tls.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.c,v
> retrieving revision 1.8
> diff -u -p -r1.8 evbuffer_tls.c
> --- usr.sbin/syslogd/evbuffer_tls.c 20 Sep 2015 21:49:54 -  1.8
> +++ usr.sbin/syslogd/evbuffer_tls.c 6 Oct 2015 16:10:11 -
> @@ -260,6 +260,19 @@ buffertls_set(struct buffertls *buftls,
>  }
>
>  void
> +buffertls_accept(struct buffertls *buftls, int fd)
> +{
> +   struct bufferevent *bufev = buftls->bt_bufev;
> +
> +   event_del(>ev_read);
> +   event_del(>ev_write);
> +   event_set(>ev_read, fd, EV_READ, buffertls_handshakecb,
> buftls);
> +   event_set(>ev_write, fd, EV_WRITE, buffertls_handshakecb,
> +   buftls);
> +   bufferevent_add(>ev_read, bufev->timeout_read);
> +}
> +
> +void
>  buffertls_connect(struct buffertls *buftls, int fd)
>  {
> struct bufferevent *bufev = buftls->bt_bufev;
> Index: usr.sbin/syslogd/evbuffer_tls.h
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.h,v
> retrieving revision 1.4
> diff -u -p -r1.4 evbuffer_tls.h
> --- usr.sbin/syslogd/evbuffer_tls.h 10 Sep 2015 18:32:06 -  1.4
> +++ usr.sbin/syslogd/evbuffer_tls.h 6 Oct 2015 16:10:11 -
> @@ -31,6 +31,7 @@ struct buffertls {
>
>  void   buffertls_set(struct buffertls *, struct bufferevent *, struct tls
> *,
>  int);
> +void   buffertls_accept(struct buffertls *, int);
>  void   buffertls_connect(struct buffertls *, int);
>
>  #endif /* _EVBUFFER_TLS_H_ */
> Index: usr.sbin/syslogd/privsep.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/privsep.c,v
> retrieving revision 1.54
> diff -u -p -r1.54 privsep.c
> --- usr.sbin/syslogd/privsep.c  7 Jul 2015 17:53:04 -   1.54
> +++ usr.sbin/syslogd/privsep.c  6 Oct 2015 16:10:11 -
> @@ -184,6 +184,8 @@ priv_init(char *conf, int numeric, int l
> close(fd_bind);
> if (fd_listen != -1)
> close(fd_listen);
> +   if (fd_tls != -1)
> +   close(fd_tls);
> for (i = 0; i < nunix; i++)
> if (fd_unix[i] != -1)
> close(fd_unix[i]);
> Index: usr.sbin/syslogd/syslogd.8
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
> retrieving revision 1.38
> diff -u -p -r1.38 syslogd.8
> --- usr.sbin/syslogd/syslogd.8  7 Jul 2015 21:43:35 -   1.38
> +++ usr.sbin/syslogd/syslogd.8  6 Oct 2015 16:10:11 -
> @@ -45,6 +45,7 @@
>  .Op Fl f Ar config_file
>  .Op Fl m Ar mark_interval
>  .Op Fl p Ar log_socket
> +.Op Fl S Ar listen_address
>  .Op Fl s Ar reporting_socket
>  .Op Fl T Ar listen_address
>  .Op Fl U Ar bind_address
> @@ -108,6 +109,25 @@ the symbolic local host name.
>  Specify the pathname of an alternate log socket to be used instead;
>  the default is
>  .Pa /dev/log .
> +.It Fl S Ar listen_address
> +Create a TLS listen socket for receiving encrypted messages and
> +bind it to the specified address.
> +A port number may be specified using the
> +.Ar host:port
> +syntax.
> +The syslog server will attempt to look up a private key in
> +.Pa /etc/ssl/private/host:port.key
> +and a public certificate in
> +.Pa /etc/ssl/host:port.crt ,
> +where
> +.Ar host
> +is the specified host name or IP address and
> +.Ar port
> +is the specified port if given on the command line.
> +If these files are not present, syslogd will continue to look in
> +.Pa /etc/ssl/private/host.key
> +and
> +.Pa /etc/ssl/host.crt .
>  .It Fl s Ar reporting_socket
>  Specify path to an
>  .Dv AF_LOCAL
> Index: usr.sbin/syslogd/syslogd.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
> retrieving revision 1.190
> diff -u -p -r1.190 syslogd.c
> --- usr.sbin/syslogd/syslogd.c  29 Sep 2015 03:19:23 -  1.190
> +++ usr.sbin/syslogd/syslogd.c  6 Oct 2015 16:10:11 -
> @@ -50,7 +50,7 @@
>   * extensive changes by Ralph Campbell
>   * more extensive changes by Eric Allman (again)
>   * memory buffer logging by Damien Miller
> - * IPv6, libevent, sending over TCP and TLS by Alexander Bluhm
> + * IPv6, libevent, syslog over TCP and TLS by Alexander Bluhm
>   */
>
>  #define MAXLINE8192/* maximum line length */
> @@ -219,9 +219,13 @@ char   *bind_host = NULL;  /*

Re: syslogd TLS accept

2015-10-06 Thread Alexander Bluhm

On Fri, Sep 25, 2015 at 11:27:49PM +0200, Alexander Bluhm wrote:
> If syslogd is started with -S, it accepts TLS connections to receive
> encrypted traffic.  The server certificates are taken from /etc/ssl
> like relayd does.

Anyone?

bluhm

Index: usr.sbin/syslogd/evbuffer_tls.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.c,v
retrieving revision 1.8
diff -u -p -r1.8 evbuffer_tls.c
--- usr.sbin/syslogd/evbuffer_tls.c 20 Sep 2015 21:49:54 -  1.8
+++ usr.sbin/syslogd/evbuffer_tls.c 6 Oct 2015 16:10:11 -
@@ -260,6 +260,19 @@ buffertls_set(struct buffertls *buftls, 
 }
 
 void
+buffertls_accept(struct buffertls *buftls, int fd)
+{
+   struct bufferevent *bufev = buftls->bt_bufev;
+
+   event_del(>ev_read);
+   event_del(>ev_write);
+   event_set(>ev_read, fd, EV_READ, buffertls_handshakecb, buftls);
+   event_set(>ev_write, fd, EV_WRITE, buffertls_handshakecb,
+   buftls);
+   bufferevent_add(>ev_read, bufev->timeout_read);
+}
+
+void
 buffertls_connect(struct buffertls *buftls, int fd)
 {
struct bufferevent *bufev = buftls->bt_bufev;
Index: usr.sbin/syslogd/evbuffer_tls.h
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.h,v
retrieving revision 1.4
diff -u -p -r1.4 evbuffer_tls.h
--- usr.sbin/syslogd/evbuffer_tls.h 10 Sep 2015 18:32:06 -  1.4
+++ usr.sbin/syslogd/evbuffer_tls.h 6 Oct 2015 16:10:11 -
@@ -31,6 +31,7 @@ struct buffertls {
 
 void   buffertls_set(struct buffertls *, struct bufferevent *, struct tls *,
 int);
+void   buffertls_accept(struct buffertls *, int);
 void   buffertls_connect(struct buffertls *, int);
 
 #endif /* _EVBUFFER_TLS_H_ */
Index: usr.sbin/syslogd/privsep.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/privsep.c,v
retrieving revision 1.54
diff -u -p -r1.54 privsep.c
--- usr.sbin/syslogd/privsep.c  7 Jul 2015 17:53:04 -   1.54
+++ usr.sbin/syslogd/privsep.c  6 Oct 2015 16:10:11 -
@@ -184,6 +184,8 @@ priv_init(char *conf, int numeric, int l
close(fd_bind);
if (fd_listen != -1)
close(fd_listen);
+   if (fd_tls != -1)
+   close(fd_tls);
for (i = 0; i < nunix; i++)
if (fd_unix[i] != -1)
close(fd_unix[i]);
Index: usr.sbin/syslogd/syslogd.8
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
retrieving revision 1.38
diff -u -p -r1.38 syslogd.8
--- usr.sbin/syslogd/syslogd.8  7 Jul 2015 21:43:35 -   1.38
+++ usr.sbin/syslogd/syslogd.8  6 Oct 2015 16:10:11 -
@@ -45,6 +45,7 @@
 .Op Fl f Ar config_file
 .Op Fl m Ar mark_interval
 .Op Fl p Ar log_socket
+.Op Fl S Ar listen_address
 .Op Fl s Ar reporting_socket
 .Op Fl T Ar listen_address
 .Op Fl U Ar bind_address
@@ -108,6 +109,25 @@ the symbolic local host name.
 Specify the pathname of an alternate log socket to be used instead;
 the default is
 .Pa /dev/log .
+.It Fl S Ar listen_address
+Create a TLS listen socket for receiving encrypted messages and
+bind it to the specified address.
+A port number may be specified using the
+.Ar host:port
+syntax.
+The syslog server will attempt to look up a private key in
+.Pa /etc/ssl/private/host:port.key
+and a public certificate in
+.Pa /etc/ssl/host:port.crt ,
+where
+.Ar host
+is the specified host name or IP address and
+.Ar port
+is the specified port if given on the command line.
+If these files are not present, syslogd will continue to look in
+.Pa /etc/ssl/private/host.key
+and
+.Pa /etc/ssl/host.crt .
 .It Fl s Ar reporting_socket
 Specify path to an
 .Dv AF_LOCAL
Index: usr.sbin/syslogd/syslogd.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.190
diff -u -p -r1.190 syslogd.c
--- usr.sbin/syslogd/syslogd.c  29 Sep 2015 03:19:23 -  1.190
+++ usr.sbin/syslogd/syslogd.c  6 Oct 2015 16:10:11 -
@@ -50,7 +50,7 @@
  * extensive changes by Ralph Campbell
  * more extensive changes by Eric Allman (again)
  * memory buffer logging by Damien Miller
- * IPv6, libevent, sending over TCP and TLS by Alexander Bluhm
+ * IPv6, libevent, syslog over TCP and TLS by Alexander Bluhm
  */
 
 #define MAXLINE8192/* maximum line length */
@@ -219,9 +219,13 @@ char   *bind_host = NULL;  /* bind UDP rece
 char   *bind_port = NULL;
 char   *listen_host = NULL;/* listen on TCP receive socket */
 char   *listen_port = NULL;
+char   *tls_hostport = NULL;   /* listen on TLS receive socket */
+char   *tls_host = NULL;
+char   *tls_port = NULL;
 char   *path_ctlsock = NULL;   /* Path to control socket */
 
-struct

syslogd TLS accept

2015-09-25 Thread Alexander Bluhm

Hi,

If syslogd is started with -S, it accepts TLS connections to receive
encrypted traffic.  The server certificates are taken from /etc/ssl
like relayd does.

ok?

bluhm

Index: usr.sbin/syslogd/evbuffer_tls.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.c,v
retrieving revision 1.8
diff -u -p -r1.8 evbuffer_tls.c
--- usr.sbin/syslogd/evbuffer_tls.c 20 Sep 2015 21:49:54 -  1.8
+++ usr.sbin/syslogd/evbuffer_tls.c 25 Sep 2015 13:35:52 -
@@ -260,6 +260,19 @@ buffertls_set(struct buffertls *buftls, 
 }
 
 void
+buffertls_accept(struct buffertls *buftls, int fd)
+{
+   struct bufferevent *bufev = buftls->bt_bufev;
+
+   event_del(>ev_read);
+   event_del(>ev_write);
+   event_set(>ev_read, fd, EV_READ, buffertls_handshakecb, buftls);
+   event_set(>ev_write, fd, EV_WRITE, buffertls_handshakecb,
+   buftls);
+   bufferevent_add(>ev_read, bufev->timeout_read);
+}
+
+void
 buffertls_connect(struct buffertls *buftls, int fd)
 {
struct bufferevent *bufev = buftls->bt_bufev;
Index: usr.sbin/syslogd/evbuffer_tls.h
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/evbuffer_tls.h,v
retrieving revision 1.4
diff -u -p -r1.4 evbuffer_tls.h
--- usr.sbin/syslogd/evbuffer_tls.h 10 Sep 2015 18:32:06 -  1.4
+++ usr.sbin/syslogd/evbuffer_tls.h 25 Sep 2015 13:35:52 -
@@ -31,6 +31,7 @@ struct buffertls {
 
 void   buffertls_set(struct buffertls *, struct bufferevent *, struct tls *,
 int);
+void   buffertls_accept(struct buffertls *, int);
 void   buffertls_connect(struct buffertls *, int);
 
 #endif /* _EVBUFFER_TLS_H_ */
Index: usr.sbin/syslogd/privsep.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/privsep.c,v
retrieving revision 1.54
diff -u -p -r1.54 privsep.c
--- usr.sbin/syslogd/privsep.c  7 Jul 2015 17:53:04 -   1.54
+++ usr.sbin/syslogd/privsep.c  25 Sep 2015 13:35:52 -
@@ -184,6 +184,8 @@ priv_init(char *conf, int numeric, int l
close(fd_bind);
if (fd_listen != -1)
close(fd_listen);
+   if (fd_tls != -1)
+   close(fd_tls);
for (i = 0; i < nunix; i++)
if (fd_unix[i] != -1)
close(fd_unix[i]);
Index: usr.sbin/syslogd/syslogd.8
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
retrieving revision 1.38
diff -u -p -r1.38 syslogd.8
--- usr.sbin/syslogd/syslogd.8  7 Jul 2015 21:43:35 -   1.38
+++ usr.sbin/syslogd/syslogd.8  25 Sep 2015 13:35:52 -
@@ -45,6 +45,7 @@
 .Op Fl f Ar config_file
 .Op Fl m Ar mark_interval
 .Op Fl p Ar log_socket
+.Op Fl S Ar listen_address
 .Op Fl s Ar reporting_socket
 .Op Fl T Ar listen_address
 .Op Fl U Ar bind_address
@@ -108,6 +109,25 @@ the symbolic local host name.
 Specify the pathname of an alternate log socket to be used instead;
 the default is
 .Pa /dev/log .
+.It Fl S Ar listen_address
+Create a TLS listen socket for receiving encrypted messages and
+bind it to the specified address.
+A port number may be specified using the
+.Ar host:port
+syntax.
+The syslog server will attempt to look up a private key in
+.Pa /etc/ssl/private/host:port.key
+and a public certificate in
+.Pa /etc/ssl/host:port.crt ,
+where
+.Ar host
+is the specified host name or IP address and
+.Ar port
+is the specified port if given on the command line.
+If these files are not present, syslogd will continue to look in
+.Pa /etc/ssl/private/host.key
+and
+.Pa /etc/ssl/host.crt .
 .It Fl s Ar reporting_socket
 Specify path to an
 .Dv AF_LOCAL
Index: usr.sbin/syslogd/syslogd.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.189
diff -u -p -r1.189 syslogd.c
--- usr.sbin/syslogd/syslogd.c  12 Sep 2015 13:50:29 -  1.189
+++ usr.sbin/syslogd/syslogd.c  25 Sep 2015 18:52:51 -
@@ -219,9 +219,13 @@ char   *bind_host = NULL;  /* bind UDP rece
 char   *bind_port = NULL;
 char   *listen_host = NULL;/* listen on TCP receive socket */
 char   *listen_port = NULL;
+char   *tls_hostport = NULL;   /* listen on TLS receive socket */
+char   *tls_host = NULL;
+char   *tls_port = NULL;
 char   *path_ctlsock = NULL;   /* Path to control socket */
 
-struct tls_config *tlsconfig = NULL;
+struct tls *server_ctx;
+struct tls_config *client_config, *server_config;
 const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */
 intNoVerify = 0;   /* do not verify TLS server x509 certificate */
 inttcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */
@@ -273,12 +277,14 @@ size_tctl_reply_offset = 0;   /* Number o
 char

Re: syslogd TLS accept

Re: syslogd TLS accept

syslogd TLS accept

3 matches

Site Navigation

Mail list logo

Footer information