Re: syslogd validate client certificates
On Mon, Sep 05, 2016 at 03:25:22AM +0200, Alexander Bluhm wrote: > Hi, > > Add an option to give syslogd a server CA that is used to validate > client certificates. This prevent that malicious clients can send > fake messages. > > ok? Could anyone have a look at the validation code. I will create nicer man page together with jmc@ afterwards. bluhm > > bluhm > > Index: usr.sbin/syslogd/syslogd.8 > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v > retrieving revision 1.42 > diff -u -p -r1.42 syslogd.8 > --- usr.sbin/syslogd/syslogd.812 Jul 2016 23:04:30 - 1.42 > +++ usr.sbin/syslogd/syslogd.85 Sep 2016 01:18:00 - > @@ -44,6 +44,7 @@ > .Op Fl C Ar CAfile > .Op Fl c Ar cert_file > .Op Fl f Ar config_file > +.Op Fl K Ar server_CAfile > .Op Fl k Ar key_file > .Op Fl m Ar mark_interval > .Op Fl p Ar log_socket > @@ -83,6 +84,11 @@ PEM encoded file containing CA certifica > validation; > the default is > .Pa /etc/ssl/cert.pem . > +Validate remote server certificates and their hostnames with this > +CA to prevent that malicious servers read messages. > +This validation can be explicitly turned off using the > +.Fl V > +switch. > .It Fl c Ar cert_file > PEM encoded file containing the client certificate for TLS connections > to a remote host. > @@ -102,6 +108,12 @@ the default is > .Pa /etc/syslog.conf . > .It Fl h > Include the hostname when forwarding messages to a remote host. > +.It Fl K Ar server_CAfile > +PEM encoded file containing CA certificates used for certificate > +valitation on the local server socket. > +By default incomming connections from any TLS server are allowed. > +Enforce client certificates and validate them with this CA to prevent > +that malicious clients send fake messages. > .It Fl k Ar key_file > PEM encoded file containing the client private key for TLS connections > to a remote host. > @@ -170,7 +182,8 @@ accept input from the UDP port. > Some software wants this, but you can be subjected to a variety of > attacks over the network, including attackers remotely filling logs. > .It Fl V > -Do not perform server certificate and hostname validation. > +Do not perform remote server certificate and hostname validation > +when sending messages. > .El > .Pp > .Nm > Index: usr.sbin/syslogd/syslogd.c > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v > retrieving revision 1.212 > diff -u -p -r1.212 syslogd.c > --- usr.sbin/syslogd/syslogd.c29 Aug 2016 20:31:56 - 1.212 > +++ usr.sbin/syslogd/syslogd.c5 Sep 2016 01:20:06 - > @@ -225,8 +225,9 @@ structtls *server_ctx; > struct tls_config *client_config, *server_config; > const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates > */ > int NoVerify = 0; /* do not verify TLS server x509 certificate */ > -char *ClientCertfile = NULL; > -char *ClientKeyfile = NULL; > +const char *ClientCertfile = NULL; > +const char *ClientKeyfile = NULL; > +const char *ServerCAfile = NULL; > int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ > > #define CTL_READING_CMD 1 > @@ -356,7 +357,7 @@ main(int argc, char *argv[]) > int ch, i; > int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; > > - while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) > + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV")) > != -1) > switch (ch) { > case '4': /* disable IPv6 */ > @@ -388,6 +389,9 @@ main(int argc, char *argv[]) > case 'h': /* RFC 3164 hostnames */ > IncludeHostname = 1; > break; > + case 'K': /* verify client with CA file */ > + ServerCAfile = optarg; > + break; > case 'k': /* file containing client key */ > ClientKeyfile = optarg; > break; > @@ -625,6 +629,17 @@ main(int argc, char *argv[]) > break; > } > > + if (ServerCAfile) { > + if (tls_config_set_ca_file(server_config, > + ServerCAfile) == -1) { > + logerrortlsconf("Load server TLS CA failed", > + server_config); > + /* avoid reading default certs in chroot */ > + tls_config_set_ca_mem(server_config, "", 0); > + } else > + logdebug("Server CAfile %s\n", ServerCAfile); > + tls_config_verify_client(server_config); > + } >
Re: syslogd validate client certificates
On Mon, Sep 05, 2016 at 03:25:22AM +0200, Alexander Bluhm wrote: > Hi, > > Add an option to give syslogd a server CA that is used to validate > client certificates. This prevent that malicious clients can send > fake messages. > > ok? Anyone? > > bluhm > > Index: usr.sbin/syslogd/syslogd.8 > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v > retrieving revision 1.42 > diff -u -p -r1.42 syslogd.8 > --- usr.sbin/syslogd/syslogd.812 Jul 2016 23:04:30 - 1.42 > +++ usr.sbin/syslogd/syslogd.85 Sep 2016 01:18:00 - > @@ -44,6 +44,7 @@ > .Op Fl C Ar CAfile > .Op Fl c Ar cert_file > .Op Fl f Ar config_file > +.Op Fl K Ar server_CAfile > .Op Fl k Ar key_file > .Op Fl m Ar mark_interval > .Op Fl p Ar log_socket > @@ -83,6 +84,11 @@ PEM encoded file containing CA certifica > validation; > the default is > .Pa /etc/ssl/cert.pem . > +Validate remote server certificates and their hostnames with this > +CA to prevent that malicious servers read messages. > +This validation can be explicitly turned off using the > +.Fl V > +switch. > .It Fl c Ar cert_file > PEM encoded file containing the client certificate for TLS connections > to a remote host. > @@ -102,6 +108,12 @@ the default is > .Pa /etc/syslog.conf . > .It Fl h > Include the hostname when forwarding messages to a remote host. > +.It Fl K Ar server_CAfile > +PEM encoded file containing CA certificates used for certificate > +valitation on the local server socket. > +By default incomming connections from any TLS server are allowed. > +Enforce client certificates and validate them with this CA to prevent > +that malicious clients send fake messages. > .It Fl k Ar key_file > PEM encoded file containing the client private key for TLS connections > to a remote host. > @@ -170,7 +182,8 @@ accept input from the UDP port. > Some software wants this, but you can be subjected to a variety of > attacks over the network, including attackers remotely filling logs. > .It Fl V > -Do not perform server certificate and hostname validation. > +Do not perform remote server certificate and hostname validation > +when sending messages. > .El > .Pp > .Nm > Index: usr.sbin/syslogd/syslogd.c > === > RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v > retrieving revision 1.212 > diff -u -p -r1.212 syslogd.c > --- usr.sbin/syslogd/syslogd.c29 Aug 2016 20:31:56 - 1.212 > +++ usr.sbin/syslogd/syslogd.c5 Sep 2016 01:20:06 - > @@ -225,8 +225,9 @@ structtls *server_ctx; > struct tls_config *client_config, *server_config; > const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates > */ > int NoVerify = 0; /* do not verify TLS server x509 certificate */ > -char *ClientCertfile = NULL; > -char *ClientKeyfile = NULL; > +const char *ClientCertfile = NULL; > +const char *ClientKeyfile = NULL; > +const char *ServerCAfile = NULL; > int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ > > #define CTL_READING_CMD 1 > @@ -356,7 +357,7 @@ main(int argc, char *argv[]) > int ch, i; > int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; > > - while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) > + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV")) > != -1) > switch (ch) { > case '4': /* disable IPv6 */ > @@ -388,6 +389,9 @@ main(int argc, char *argv[]) > case 'h': /* RFC 3164 hostnames */ > IncludeHostname = 1; > break; > + case 'K': /* verify client with CA file */ > + ServerCAfile = optarg; > + break; > case 'k': /* file containing client key */ > ClientKeyfile = optarg; > break; > @@ -625,6 +629,17 @@ main(int argc, char *argv[]) > break; > } > > + if (ServerCAfile) { > + if (tls_config_set_ca_file(server_config, > + ServerCAfile) == -1) { > + logerrortlsconf("Load server TLS CA failed", > + server_config); > + /* avoid reading default certs in chroot */ > + tls_config_set_ca_mem(server_config, "", 0); > + } else > + logdebug("Server CAfile %s\n", ServerCAfile); > + tls_config_verify_client(server_config); > + } > tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL); > if (tls_config_set_ciphers(server_config, "compat")
syslogd validate client certificates
Hi, Add an option to give syslogd a server CA that is used to validate client certificates. This prevent that malicious clients can send fake messages. ok? bluhm Index: usr.sbin/syslogd/syslogd.8 === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v retrieving revision 1.42 diff -u -p -r1.42 syslogd.8 --- usr.sbin/syslogd/syslogd.8 12 Jul 2016 23:04:30 - 1.42 +++ usr.sbin/syslogd/syslogd.8 5 Sep 2016 01:18:00 - @@ -44,6 +44,7 @@ .Op Fl C Ar CAfile .Op Fl c Ar cert_file .Op Fl f Ar config_file +.Op Fl K Ar server_CAfile .Op Fl k Ar key_file .Op Fl m Ar mark_interval .Op Fl p Ar log_socket @@ -83,6 +84,11 @@ PEM encoded file containing CA certifica validation; the default is .Pa /etc/ssl/cert.pem . +Validate remote server certificates and their hostnames with this +CA to prevent that malicious servers read messages. +This validation can be explicitly turned off using the +.Fl V +switch. .It Fl c Ar cert_file PEM encoded file containing the client certificate for TLS connections to a remote host. @@ -102,6 +108,12 @@ the default is .Pa /etc/syslog.conf . .It Fl h Include the hostname when forwarding messages to a remote host. +.It Fl K Ar server_CAfile +PEM encoded file containing CA certificates used for certificate +valitation on the local server socket. +By default incomming connections from any TLS server are allowed. +Enforce client certificates and validate them with this CA to prevent +that malicious clients send fake messages. .It Fl k Ar key_file PEM encoded file containing the client private key for TLS connections to a remote host. @@ -170,7 +182,8 @@ accept input from the UDP port. Some software wants this, but you can be subjected to a variety of attacks over the network, including attackers remotely filling logs. .It Fl V -Do not perform server certificate and hostname validation. +Do not perform remote server certificate and hostname validation +when sending messages. .El .Pp .Nm Index: usr.sbin/syslogd/syslogd.c === RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v retrieving revision 1.212 diff -u -p -r1.212 syslogd.c --- usr.sbin/syslogd/syslogd.c 29 Aug 2016 20:31:56 - 1.212 +++ usr.sbin/syslogd/syslogd.c 5 Sep 2016 01:20:06 - @@ -225,8 +225,9 @@ struct tls *server_ctx; struct tls_config *client_config, *server_config; const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */ intNoVerify = 0; /* do not verify TLS server x509 certificate */ -char *ClientCertfile = NULL; -char *ClientKeyfile = NULL; +const char *ClientCertfile = NULL; +const char *ClientKeyfile = NULL; +const char *ServerCAfile = NULL; inttcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */ #define CTL_READING_CMD1 @@ -356,7 +357,7 @@ main(int argc, char *argv[]) int ch, i; int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd; - while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV")) + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV")) != -1) switch (ch) { case '4': /* disable IPv6 */ @@ -388,6 +389,9 @@ main(int argc, char *argv[]) case 'h': /* RFC 3164 hostnames */ IncludeHostname = 1; break; + case 'K': /* verify client with CA file */ + ServerCAfile = optarg; + break; case 'k': /* file containing client key */ ClientKeyfile = optarg; break; @@ -625,6 +629,17 @@ main(int argc, char *argv[]) break; } + if (ServerCAfile) { + if (tls_config_set_ca_file(server_config, + ServerCAfile) == -1) { + logerrortlsconf("Load server TLS CA failed", + server_config); + /* avoid reading default certs in chroot */ + tls_config_set_ca_mem(server_config, "", 0); + } else + logdebug("Server CAfile %s\n", ServerCAfile); + tls_config_verify_client(server_config); + } tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL); if (tls_config_set_ciphers(server_config, "compat") != 0) logerrortlsconf("Set server TLS ciphers failed", @@ -1453,9 +1468,9 @@ usage(void) (void)fprintf(stderr, "usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n" - "\t[-f config_file] [-k