Re: syslogd validate client certificates

Fri, 09 Sep 2016 15:38:33 -0700 

On Mon, Sep 05, 2016 at 03:25:22AM +0200, Alexander Bluhm wrote:
> Hi,
> 
> Add an option to give syslogd a server CA that is used to validate
> client certificates.  This prevent that malicious clients can send
> fake messages.
> 
> ok?

Anyone?

> 
> bluhm
> 
> Index: usr.sbin/syslogd/syslogd.8
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
> retrieving revision 1.42
> diff -u -p -r1.42 syslogd.8
> --- usr.sbin/syslogd/syslogd.8        12 Jul 2016 23:04:30 -0000      1.42
> +++ usr.sbin/syslogd/syslogd.8        5 Sep 2016 01:18:00 -0000
> @@ -44,6 +44,7 @@
>  .Op Fl C Ar CAfile
>  .Op Fl c Ar cert_file
>  .Op Fl f Ar config_file
> +.Op Fl K Ar server_CAfile
>  .Op Fl k Ar key_file
>  .Op Fl m Ar mark_interval
>  .Op Fl p Ar log_socket
> @@ -83,6 +84,11 @@ PEM encoded file containing CA certifica
>  validation;
>  the default is
>  .Pa /etc/ssl/cert.pem .
> +Validate remote server certificates and their hostnames with this
> +CA to prevent that malicious servers read messages.
> +This validation can be explicitly turned off using the
> +.Fl V
> +switch.
>  .It Fl c Ar cert_file
>  PEM encoded file containing the client certificate for TLS connections
>  to a remote host.
> @@ -102,6 +108,12 @@ the default is
>  .Pa /etc/syslog.conf .
>  .It Fl h
>  Include the hostname when forwarding messages to a remote host.
> +.It Fl K Ar server_CAfile
> +PEM encoded file containing CA certificates used for certificate
> +valitation on the local server socket.
> +By default incomming connections from any TLS server are allowed.
> +Enforce client certificates and validate them with this CA to prevent
> +that malicious clients send fake messages.
>  .It Fl k Ar key_file
>  PEM encoded file containing the client private key for TLS connections
>  to a remote host.
> @@ -170,7 +182,8 @@ accept input from the UDP port.
>  Some software wants this, but you can be subjected to a variety of
>  attacks over the network, including attackers remotely filling logs.
>  .It Fl V
> -Do not perform server certificate and hostname validation.
> +Do not perform remote server certificate and hostname validation
> +when sending messages.
>  .El
>  .Pp
>  .Nm
> Index: usr.sbin/syslogd/syslogd.c
> ===================================================================
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
> retrieving revision 1.212
> diff -u -p -r1.212 syslogd.c
> --- usr.sbin/syslogd/syslogd.c        29 Aug 2016 20:31:56 -0000      1.212
> +++ usr.sbin/syslogd/syslogd.c        5 Sep 2016 01:20:06 -0000
> @@ -225,8 +225,9 @@ struct    tls *server_ctx;
>  struct       tls_config *client_config, *server_config;
>  const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates 
> */
>  int  NoVerify = 0;           /* do not verify TLS server x509 certificate */
> -char *ClientCertfile = NULL;
> -char *ClientKeyfile = NULL;
> +const char *ClientCertfile = NULL;
> +const char *ClientKeyfile = NULL;
> +const char *ServerCAfile = NULL;
>  int  tcpbuf_dropped = 0;     /* count messages dropped from TCP or TLS */
>  
>  #define CTL_READING_CMD              1
> @@ -356,7 +357,7 @@ main(int argc, char *argv[])
>       int              ch, i;
>       int              lockpipe[2] = { -1, -1}, pair[2], nullfd, fd;
>  
> -     while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV"))
> +     while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV"))
>           != -1)
>               switch (ch) {
>               case '4':               /* disable IPv6 */
> @@ -388,6 +389,9 @@ main(int argc, char *argv[])
>               case 'h':               /* RFC 3164 hostnames */
>                       IncludeHostname = 1;
>                       break;
> +             case 'K':               /* verify client with CA file */
> +                     ServerCAfile = optarg;
> +                     break;
>               case 'k':               /* file containing client key */
>                       ClientKeyfile = optarg;
>                       break;
> @@ -625,6 +629,17 @@ main(int argc, char *argv[])
>                       break;
>               }
>  
> +             if (ServerCAfile) {
> +                     if (tls_config_set_ca_file(server_config,
> +                         ServerCAfile) == -1) {
> +                             logerrortlsconf("Load server TLS CA failed",
> +                                 server_config);
> +                             /* avoid reading default certs in chroot */
> +                             tls_config_set_ca_mem(server_config, "", 0);
> +                     } else
> +                             logdebug("Server CAfile %s\n", ServerCAfile);
> +                     tls_config_verify_client(server_config);
> +             }
>               tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL);
>               if (tls_config_set_ciphers(server_config, "compat") != 0)
>                       logerrortlsconf("Set server TLS ciphers failed",
> @@ -1453,9 +1468,9 @@ usage(void)
>  
>       (void)fprintf(stderr,
>           "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n"
> -         "\t[-f config_file] [-k key_file] [-m mark_interval]\n"
> -         "\t[-p log_socket] [-S listen_address] [-s reporting_socket]\n"
> -         "\t[-T listen_address] [-U bind_address]\n");
> +         "\t[-f config_file] [-K server_CAfile] [-k key_file]\n"
> +         "\t[-m mark_interval] [-p log_socket] [-S listen_address]\n"
> +         "\t[-s reporting_socket] [-T listen_address] [-U bind_address]\n");
>       exit(1);
>  }
>

Reply via email to