| #
18e6fc66 |
| 07-Nov-2024 |
bluhm <bluhm@openbsd.org> |
Move syslogd(8) TLS handshake callback from read to write handler.
syslogd should immediately detect that the incoming TLS handshake
is complete. The old logic detected it when the first log messag
Move syslogd(8) TLS handshake callback from read to write handler.
syslogd should immediately detect that the incoming TLS handshake
is complete. The old logic detected it when the first log message
over TLS was arriving. For now only a debug message is logged, but
the callback will be used to print the common name of the client
certificate in the future.
OK tb@
show more ...
|
| #
1d77af83 |
| 22-Mar-2022 |
bluhm <bluhm@openbsd.org> |
Call tls_close() in libevent TLS wrapper of syslogd when the other
side terminates the TLS connection. It results in a proper shutdown
and the TLS peer has a chance to detect errors. This is expeci
Call tls_close() in libevent TLS wrapper of syslogd when the other
side terminates the TLS connection. It results in a proper shutdown
and the TLS peer has a chance to detect errors. This is expecially
important for the client side. Due to the reduced TLS 1.3 handshake,
errors might be undetected and log messages dropped silently. By
doing a matching TLS shutdown on his side, the client can receive
the error.
Instead of checking socket writability and calling tls_close()
repeatedly, syslogd calls it only once. As the other side has
closed the connection anyway it is our turn to write the shutdown
message. Do not care about errors here and avoid complexity.
OK tb@
show more ...
|
| #
df69c215 |
| 28-Jun-2019 |
deraadt <deraadt@openbsd.org> |
When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if
When system calls indicate an error they return -1, not some arbitrary
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
show more ...
|
| #
b28dfb31 |
| 04-Jul-2017 |
bluhm <bluhm@openbsd.org> |
It does not make sense to use ioctl(FIONREAD) with TLS as libtls
has already read the buffer from kernel to user land. I have blindly
copied this code from libevent for syslogd(8) TLS, remove it tog
It does not make sense to use ioctl(FIONREAD) with TLS as libtls
has already read the buffer from kernel to user land. I have blindly
copied this code from libevent for syslogd(8) TLS, remove it together
with the bug. It caused hangs in ldapd(8).
report, analysis, testing, OK Seiya Kawashima, Robert Klein, gsoares@
show more ...
|
| #
e63efc4e |
| 03-Mar-2017 |
bluhm <bluhm@openbsd.org> |
Internally libssl uses 16k buffer, the libevent TLS wrapper uses
4k read buffer. This can hang ldapd(8). Setting both to 16k
improves the situation.
report Seiya Kawashima; feedback Robert Klein; t
Internally libssl uses 16k buffer, the libevent TLS wrapper uses
4k read buffer. This can hang ldapd(8). Setting both to 16k
improves the situation.
report Seiya Kawashima; feedback Robert Klein; test and OK gsoares@
show more ...
|
| #
1cfd376a |
| 09-Oct-2015 |
bluhm <bluhm@openbsd.org> |
If syslogd is started with -S, it accepts TLS connections to receive
encrypted messages. The server certificates are taken from /etc/ssl
like relayd does.
OK benno@ beck@ deraadt@
|
| #
f770f76f |
| 20-Sep-2015 |
bluhm <bluhm@openbsd.org> |
Misuse of libevent in TLS read and write might have caused strange
event loss in syslogd. The ev_read and ev_write event structures
were used for both EV_READ and EV_WRITE events intermixedly. The
Misuse of libevent in TLS read and write might have caused strange
event loss in syslogd. The ev_read and ev_write event structures
were used for both EV_READ and EV_WRITE events intermixedly. The
correct way is to use each event for its read and write purpose and
instead switch the handler. Then libevent is no longer confused.
When doing TLS read and a TLS_WANT_POLLOUT occures, call event_set()
for the write event to change the callback to read. As there might
be an event scheduled on the event, call event_del() before
event_set(). After a successful TLS read, change back the write
event. Add analog code for TLS write and handshake.
OK beck@
show more ...
|
| #
ab571fa1 |
| 10-Sep-2015 |
bluhm <bluhm@openbsd.org> |
Convert syslogd TLS connect to use handshake callback. The bt_hostname
can go away as the callback does not need the hostname anymore.
Call tls_handshake() until successful. Remove the function
tls
Convert syslogd TLS connect to use handshake callback. The bt_hostname
can go away as the callback does not need the hostname anymore.
Call tls_handshake() until successful. Remove the function
tls_socket() as it has a bad prefix. Just call tls_client(),
tls_configure() and tls_connect_socket() after the TCP socket has
been created. There is no need to wait until TCP connect has
finished.
OK beck@ jsing@
show more ...
|
| #
65c6d236 |
| 10-Sep-2015 |
bluhm <bluhm@openbsd.org> |
Make syslogd compile again after recent libtls changes. Adapt to
new tls_read() and tls_write() calling semantics, adapt to
TLS_WANT_POLLIN and TLS_WANT_POLLOUT renaming.
OK beck@
|
| #
5edb47cb |
| 18-Jul-2015 |
bluhm <bluhm@openbsd.org> |
As libtls previously did not set SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,
syslogd had to drop messages after tls_write() returned
TLS_{READ,WRITE}_AGAIN. Now after libtls has been fixed, remove
the work
As libtls previously did not set SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER,
syslogd had to drop messages after tls_write() returned
TLS_{READ,WRITE}_AGAIN. Now after libtls has been fixed, remove
the workaround. Messages are stored in the libevent write buffer
as we can safely do a realloc(3) now.
OK reyk@
show more ...
|
| #
d4d4d7d2 |
| 06-Jul-2015 |
millert <millert@openbsd.org> |
Remove some unneeded includes. OK deraadt@
|
| #
8fb5aed9 |
| 20-Feb-2015 |
bluhm <bluhm@openbsd.org> |
When syslogd is writing over TLS, the error "SSL3_WRITE_PENDING:bad
write retry" may occur. Unfortunately libtls tls_write() has
inherited the strange semantics regarding partial writes and buffer
m
When syslogd is writing over TLS, the error "SSL3_WRITE_PENDING:bad
write retry" may occur. Unfortunately libtls tls_write() has
inherited the strange semantics regarding partial writes and buffer
movement from SSL_write(). This will be investigated after unlock,
the goal is to have the behavior of write(2) in libtls.
For now add a workaround in syslogd. If tls_write() indicates that
it needs a read or write again, stop modifying the output buffer.
Instead drop and count the syslog messages. After writing over TLS
was successful, continue to queue the messages. This solution has
minimum inpact and will be improved after 5.7 release.
discussed with tedu@ reyk@ jsing@; OK tedu@
show more ...
|
| #
7c09be04 |
| 30-Jan-2015 |
bluhm <bluhm@openbsd.org> |
Start TLS after the TCP connect has finished. Call the TLS connect
callback when the connected socket is writable. This avoids calling
a NULL error callback.
OK deraadt@
|
| #
b60e1f73 |
| 18-Jan-2015 |
bluhm <bluhm@openbsd.org> |
Implement sending syslog messages over TLS.
OK reyk@
|