On 27/06/16 02:02, Alexander Bluhm wrote:
> On Thu, Jun 23, 2016 at 07:52:06PM +0300, Kapetanakis Giannis wrote:
>> On 23/06/16 18:14, Kapetanakis Giannis wrote:
>>> It adds two switches:
>>> -c client_cert_file
>>> -k client_key_file
>
> That's fine.
>
>>> Minor modification in CAfile setup as well to match the netcat code.
>
> Please do not change that now. There is a diff for libtls and
> syslogd floating around that will make the code much simpler.
> ...
> bluhm
Thanks for the comments.
new version with all changes
ok?
Giannis
Index: syslogd.8
===================================================================
RCS file: /cvs/src/usr.sbin/syslogd/syslogd.8,v
retrieving revision 1.40
diff -u -p -r1.40 syslogd.8
--- syslogd.8 31 Mar 2016 15:53:25 -0000 1.40
+++ syslogd.8 27 Jun 2016 13:53:50 -0000
@@ -42,7 +42,9 @@
.Op Fl 46dFhnuV
.Op Fl a Ar path
.Op Fl C Ar CAfile
+.Op Fl c Ar cert_file
.Op Fl f Ar config_file
+.Op Fl k Ar key_file
.Op Fl m Ar mark_interval
.Op Fl p Ar log_socket
.Op Fl S Ar listen_address
@@ -81,6 +83,9 @@ PEM encoded file containing CA certifica
validation;
the default is
.Pa /etc/ssl/cert.pem .
+.It Fl c Ar cert_file
+PEM encoded file containing the client certificate for TLS connection
+to a remote host. The default is not to use a certificate.
.It Fl d
Enable debugging to the standard output,
and do not disassociate from the controlling terminal.
@@ -93,6 +98,9 @@ the default is
.Pa /etc/syslog.conf .
.It Fl h
Include the hostname when forwarding messages to a remote host.
+.It Fl k Ar key_file
+PEM encoded file containing the client private key for TLS connection
+to a remote host.
.It Fl m Ar mark_interval
Select the number of minutes between
.Dq mark
Index: syslogd.c
===================================================================
RCS file: /cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.205
diff -u -p -r1.205 syslogd.c
--- syslogd.c 2 Apr 2016 19:55:10 -0000 1.205
+++ syslogd.c 27 Jun 2016 13:53:51 -0000
@@ -225,6 +225,8 @@ struct tls *server_ctx;
struct tls_config *client_config, *server_config;
const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */
int NoVerify = 0; /* do not verify TLS server x509 certificate */
+char *ClientCertfile = NULL;
+char *ClientKeyfile = NULL;
int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */
#define CTL_READING_CMD 1
@@ -353,7 +355,7 @@ main(int argc, char *argv[])
int ch, i;
int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd;
- while ((ch = getopt(argc, argv, "46a:C:dFf:hm:np:S:s:T:U:uV")) != -1)
+ while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) !=
-1)
switch (ch) {
case '4': /* disable IPv6 */
Family = PF_INET;
@@ -369,6 +371,9 @@ main(int argc, char *argv[])
case 'C': /* file containing CA certificates */
CAfile = optarg;
break;
+ case 'c': /* file containing client certificate */
+ ClientCertfile = optarg;
+ break;
case 'd': /* debug */
Debug++;
break;
@@ -381,6 +386,9 @@ main(int argc, char *argv[])
case 'h': /* RFC 3164 hostnames */
IncludeHostname = 1;
break;
+ case 'k': /* file containing client key */
+ ClientKeyfile = optarg;
+ break;
case 'm': /* mark interval */
MarkInterval = strtonum(optarg, 0, 365*24*60, &errstr);
if (errstr)
@@ -582,6 +590,31 @@ main(int argc, char *argv[])
free(p);
close(fd);
}
+ if (ClientCertfile && ClientKeyfile) {
+ uint8_t *clientcert, *clientkey;
+ size_t clientcertlen, clientkeylen;
+
+ clientcert = tls_load_file(ClientCertfile,
&clientcertlen, NULL);
+ if (clientcert == NULL) {
+ logerror("unable to load client TLS certificate
file");
+ } else if (tls_config_set_cert_mem(client_config,
clientcert,
+ clientcertlen) == -1) {
+ logerror("unable to set client TLS certificate
file");
+ } else {
+ logdebug("Client cert_file %s\n",
ClientCertfile);
+ }
+ clientkey = tls_load_file(ClientKeyfile, &clientkeylen,
NULL);
+ if (clientkey == NULL) {
+ logerror("unable to load client TLS key file");
+ } else if (tls_config_set_key_mem(client_config,
clientkey,
+ clientkeylen) == -1) {
+ logerror("unable to set client TLS key file");
+ } else {
+ logdebug("Client key_file %s\n", ClientKeyfile);
+ }
+ } else if (ClientCertfile || ClientKeyfile) {
+ logerrorx("options -c and -k must be used together");
+ }
tls_config_set_protocols(client_config, TLS_PROTOCOLS_ALL);
if (tls_config_set_ciphers(client_config, "compat") != 0)
logerror("tls set client ciphers");
@@ -1483,9 +1516,10 @@ usage(void)
{
(void)fprintf(stderr,
- "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-f
config_file]\n"
- " [-m mark_interval] [-p log_socket] [-S
listen_address]\n"
- " [-s reporting_socket] [-T listen_address] [-U
bind_address]\n");
+ "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n"
+ " [-f config_file] [-k key_file] [-m mark_interval]\n"
+ " [-p log_socket] [-S listen_address] [-s
reporting_socket]\n"
+ " [-T listen_address] [-U bind_address]\n");
exit(1);
}
