Re: Can s6-tlsd use openssl, rather than libressl?
Thanks to Ilaia's email, I looked into using s6-tlsd, but I'm a bit confused about what libraries are needed, and hopefully not libressl? s6-networking can be built against either bearssl or libressl; it's a choice you make at configure time. LibreSSL was chosen, you guessed it, because of libtls, which is a half-decent, workable API, whereas the OpenSSL API is just not. There will never be an OpenSSL version. If you won't use LibreSSL, then you should build s6-networking against BearSSL instead; it is by far the best choice anyway, and if you're already using it in boot code, there's no reason why you can't use it in userland code. :) -- Laurent
Re: s6-tlsd immediately sending EOF during TLS handshake
s6-tcpserver4d: info: end pid 29407 ip [redacted] signal 11 "signal 11" is a segfault, so you may have found a bug in s6-tlsd, but I haven't managed to reproduce it. Did you build s6-networking against bearssl or libressl, and which version are you using? Can you please do a "strace -vf -s 256" of your command line, and pastebin it somewhere? that would help pinpoint where the segfault is happening and what led to it. Thanks! On an unrelated note, your server command line should end with something like "cat" instead of "exit 0" if you want to test that it echoes what the client is sending. :) -- Laurent
Can s6-tlsd use openssl, rather than libressl?
Thanks to Ilaia's email, I looked into using s6-tlsd, but I'm a bit confused about what libraries are needed, and hopefully not libressl? https://www.skarnet.org/software/s6-networking/ indicates dependency on stls, sbearlssl. https://www.skarnet.org/software/s6-networking/libstls/ requires libressl https://www.skarnet.org/software/s6-networking/libsbearssl/ requires bearssl We tried to use libressl for approx 8 months after heartbleed, but there were too many incompatibilities with other applications' Makefiles, which may have been fixed over the last 2 years? Now we're locked into both openssl, bearssl is only used in boot code. Does anyone use s6-networking with only openssl, or better, does anyone use s6-networking on a BSD (I'm FreeBSD based) which uses openssl by default? (If s6-* has libtls is a dependency, that's a showstopper.) Regards, Dewayne.
s6-tlsd immediately sending EOF during TLS handshake
Note: I'm running the current stable releases of skalibs and s6-*. It's all statically linked, against musl, if that might be relevant. To give an example minimal usage, running $(which export) CERTFILE /etc/letsencrypt/live/$REDACTED/fullchain.pem \ $(which export) KEYFILE /etc/letsencrypt/live/$REDACTED/privkey.pem \ s6-tlsserver -v -- 0.0.0.0 443 exit 0 on the server, and CADIR=/etc/ssl/certs s6-tlsclient $REDACTED 443 s6-ioconnect on the client, the client reports > s6-tlsc: fatal: unable to perform SSL handshake: handshake failed: unexpected EOF and the server reports > s6-tcpserver4d: info: starting > s6-tcpserver4d: info: status: 0/40! > s6-tcpserver4d: info: allow [redacted]:42623 pid 29407 count 1/40 > s6-tcpserver4d: info: status: 1/40 > s6-tcpserver4d: info: end pid 29407 ip [redacted] signal 11 > s6-tcpserver4d: info: status: 0/40 Far as I can tell this is undocumented behavior (hell, exiting 11 isn't even in the s6-tlsd source!), so I believe I have run into a Mysterious Bug. (Of course, there is always that distinct possibility I just, don't know what I'm doing...) If providing sysdeps might be useful: clockrt: yes clockmon: yes clockboot: yes posixspawn: yes timer: yes endianness: little sizeofushort: 2 sizeofuint: 4 sizeofulong: 8 signedsize: no sizeofsize: 8 signeduid: no sizeofuid: 4 signedgid: no sizeofgid: 4 signedpid: yes sizeofpid: 4 signedtime: yes sizeoftime: 8 signeddev: no sizeofdev: 8 signedino: no sizeofino: 8 accept4: yes cmsgcloexec: yes dirfd: yes eventfd: yes flock: yes getrandom: yes getpeereid: no sopeercred: yes getpeerucred: no ipv6: yes msgdontwait: yes odirectory: yes openat: yes linkat: yes memmem: yes pipe2: yes ppoll: yes revoke: no sendfile: yes setgroups: yes settimeofday: yes signalfd: yes splice: yes strcasestr: yes strnlen: yes uint64t: yes futimens: yes futimes: yes arc4random: no arc4random_addrandom: no itimer: yes namespaces: yes nsgetparent: yes explicit_bzero: yes devurandom: yes