The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find - openbsd - A mirror of https://github.com/libressl/openbsd.git

diff options

author	tb <>	2020-01-23 03:53:39 +0000
committer	tb <>	2020-01-23 03:53:39 +0000
commit	130f32cc7004f9434c10db4fc8a7e8b1db9082a5 (patch)
tree	4d9d69b009f469def034872876e1caec106f28a1 /src/lib/libssl/man/SSL_CTX_set_generate_session_id.3
parent	61fedc0310a1ba6f15f2242f24fbba7b3b8d3d8f (diff)
download	openbsd-130f32cc7004f9434c10db4fc8a7e8b1db9082a5.tar.gz openbsd-130f32cc7004f9434c10db4fc8a7e8b1db9082a5.tar.bz2 openbsd-130f32cc7004f9434c10db4fc8a7e8b1db9082a5.zip

The X509_LOOKUP code tries to grope around in /etc/ssl/cert/ to find

CA certs it couldn't find otherwise. This may lead to a pledge rpath violation reported by Kor, son of Rynar. Unfortunately, providing certs inside a directory is common in linuxes, so we need to keep this functionality for portable. Check if /etc/ssl/cert.pem and /etc/ssl/cert exist and pledge accordingly. Add unveils to restrict this program further on a default OpenBSD install. Fix -C to look only inside the provided root bundle. Input from jsing and sthen, tests by sthen and Kor ok beck, jsing, sthen (after much back and forth)

Diffstat (limited to 'src/lib/libssl/man/SSL_CTX_set_generate_session_id.3')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: