Re: syslogd validate client certificates
On Mon, Sep 05, 2016 at 03:25:22AM +0200, Alexander Bluhm wrote:
> Hi,
>
> Add an option to give syslogd a server CA that is used to validate
> client certificates. This prevent that malicious clients can send
> fake messages.
>
> ok?
Could anyone have a look at the validation code. I will create
nicer man page together with jmc@ afterwards.
bluhm
>
> bluhm
>
> Index: usr.sbin/syslogd/syslogd.8
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
> retrieving revision 1.42
> diff -u -p -r1.42 syslogd.8
> --- usr.sbin/syslogd/syslogd.812 Jul 2016 23:04:30 - 1.42
> +++ usr.sbin/syslogd/syslogd.85 Sep 2016 01:18:00 -
> @@ -44,6 +44,7 @@
> .Op Fl C Ar CAfile
> .Op Fl c Ar cert_file
> .Op Fl f Ar config_file
> +.Op Fl K Ar server_CAfile
> .Op Fl k Ar key_file
> .Op Fl m Ar mark_interval
> .Op Fl p Ar log_socket
> @@ -83,6 +84,11 @@ PEM encoded file containing CA certifica
> validation;
> the default is
> .Pa /etc/ssl/cert.pem .
> +Validate remote server certificates and their hostnames with this
> +CA to prevent that malicious servers read messages.
> +This validation can be explicitly turned off using the
> +.Fl V
> +switch.
> .It Fl c Ar cert_file
> PEM encoded file containing the client certificate for TLS connections
> to a remote host.
> @@ -102,6 +108,12 @@ the default is
> .Pa /etc/syslog.conf .
> .It Fl h
> Include the hostname when forwarding messages to a remote host.
> +.It Fl K Ar server_CAfile
> +PEM encoded file containing CA certificates used for certificate
> +valitation on the local server socket.
> +By default incomming connections from any TLS server are allowed.
> +Enforce client certificates and validate them with this CA to prevent
> +that malicious clients send fake messages.
> .It Fl k Ar key_file
> PEM encoded file containing the client private key for TLS connections
> to a remote host.
> @@ -170,7 +182,8 @@ accept input from the UDP port.
> Some software wants this, but you can be subjected to a variety of
> attacks over the network, including attackers remotely filling logs.
> .It Fl V
> -Do not perform server certificate and hostname validation.
> +Do not perform remote server certificate and hostname validation
> +when sending messages.
> .El
> .Pp
> .Nm
> Index: usr.sbin/syslogd/syslogd.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
> retrieving revision 1.212
> diff -u -p -r1.212 syslogd.c
> --- usr.sbin/syslogd/syslogd.c29 Aug 2016 20:31:56 - 1.212
> +++ usr.sbin/syslogd/syslogd.c5 Sep 2016 01:20:06 -
> @@ -225,8 +225,9 @@ structtls *server_ctx;
> struct tls_config *client_config, *server_config;
> const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates
> */
> int NoVerify = 0; /* do not verify TLS server x509 certificate */
> -char *ClientCertfile = NULL;
> -char *ClientKeyfile = NULL;
> +const char *ClientCertfile = NULL;
> +const char *ClientKeyfile = NULL;
> +const char *ServerCAfile = NULL;
> int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */
>
> #define CTL_READING_CMD 1
> @@ -356,7 +357,7 @@ main(int argc, char *argv[])
> int ch, i;
> int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd;
>
> - while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV"))
> + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV"))
> != -1)
> switch (ch) {
> case '4': /* disable IPv6 */
> @@ -388,6 +389,9 @@ main(int argc, char *argv[])
> case 'h': /* RFC 3164 hostnames */
> IncludeHostname = 1;
> break;
> + case 'K': /* verify client with CA file */
> + ServerCAfile = optarg;
> + break;
> case 'k': /* file containing client key */
> ClientKeyfile = optarg;
> break;
> @@ -625,6 +629,17 @@ main(int argc, char *argv[])
> break;
> }
>
> + if (ServerCAfile) {
> + if (tls_config_set_ca_file(server_config,
> + ServerCAfile) == -1) {
> + logerrortlsconf("Load server TLS CA failed",
> + server_config);
> + /* avoid reading default certs in chroot */
> + tls_config_set_ca_mem(server_config, "", 0);
> + } else
> + logdebug("Server CAfile %s\n", ServerCAfile);
> + tls_config_verify_client(server_config);
> + }
>
Re: syslogd validate client certificates
On Mon, Sep 05, 2016 at 03:25:22AM +0200, Alexander Bluhm wrote:
> Hi,
>
> Add an option to give syslogd a server CA that is used to validate
> client certificates. This prevent that malicious clients can send
> fake messages.
>
> ok?
Anyone?
>
> bluhm
>
> Index: usr.sbin/syslogd/syslogd.8
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
> retrieving revision 1.42
> diff -u -p -r1.42 syslogd.8
> --- usr.sbin/syslogd/syslogd.812 Jul 2016 23:04:30 - 1.42
> +++ usr.sbin/syslogd/syslogd.85 Sep 2016 01:18:00 -
> @@ -44,6 +44,7 @@
> .Op Fl C Ar CAfile
> .Op Fl c Ar cert_file
> .Op Fl f Ar config_file
> +.Op Fl K Ar server_CAfile
> .Op Fl k Ar key_file
> .Op Fl m Ar mark_interval
> .Op Fl p Ar log_socket
> @@ -83,6 +84,11 @@ PEM encoded file containing CA certifica
> validation;
> the default is
> .Pa /etc/ssl/cert.pem .
> +Validate remote server certificates and their hostnames with this
> +CA to prevent that malicious servers read messages.
> +This validation can be explicitly turned off using the
> +.Fl V
> +switch.
> .It Fl c Ar cert_file
> PEM encoded file containing the client certificate for TLS connections
> to a remote host.
> @@ -102,6 +108,12 @@ the default is
> .Pa /etc/syslog.conf .
> .It Fl h
> Include the hostname when forwarding messages to a remote host.
> +.It Fl K Ar server_CAfile
> +PEM encoded file containing CA certificates used for certificate
> +valitation on the local server socket.
> +By default incomming connections from any TLS server are allowed.
> +Enforce client certificates and validate them with this CA to prevent
> +that malicious clients send fake messages.
> .It Fl k Ar key_file
> PEM encoded file containing the client private key for TLS connections
> to a remote host.
> @@ -170,7 +182,8 @@ accept input from the UDP port.
> Some software wants this, but you can be subjected to a variety of
> attacks over the network, including attackers remotely filling logs.
> .It Fl V
> -Do not perform server certificate and hostname validation.
> +Do not perform remote server certificate and hostname validation
> +when sending messages.
> .El
> .Pp
> .Nm
> Index: usr.sbin/syslogd/syslogd.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
> retrieving revision 1.212
> diff -u -p -r1.212 syslogd.c
> --- usr.sbin/syslogd/syslogd.c29 Aug 2016 20:31:56 - 1.212
> +++ usr.sbin/syslogd/syslogd.c5 Sep 2016 01:20:06 -
> @@ -225,8 +225,9 @@ structtls *server_ctx;
> struct tls_config *client_config, *server_config;
> const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates
> */
> int NoVerify = 0; /* do not verify TLS server x509 certificate */
> -char *ClientCertfile = NULL;
> -char *ClientKeyfile = NULL;
> +const char *ClientCertfile = NULL;
> +const char *ClientKeyfile = NULL;
> +const char *ServerCAfile = NULL;
> int tcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */
>
> #define CTL_READING_CMD 1
> @@ -356,7 +357,7 @@ main(int argc, char *argv[])
> int ch, i;
> int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd;
>
> - while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV"))
> + while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV"))
> != -1)
> switch (ch) {
> case '4': /* disable IPv6 */
> @@ -388,6 +389,9 @@ main(int argc, char *argv[])
> case 'h': /* RFC 3164 hostnames */
> IncludeHostname = 1;
> break;
> + case 'K': /* verify client with CA file */
> + ServerCAfile = optarg;
> + break;
> case 'k': /* file containing client key */
> ClientKeyfile = optarg;
> break;
> @@ -625,6 +629,17 @@ main(int argc, char *argv[])
> break;
> }
>
> + if (ServerCAfile) {
> + if (tls_config_set_ca_file(server_config,
> + ServerCAfile) == -1) {
> + logerrortlsconf("Load server TLS CA failed",
> + server_config);
> + /* avoid reading default certs in chroot */
> + tls_config_set_ca_mem(server_config, "", 0);
> + } else
> + logdebug("Server CAfile %s\n", ServerCAfile);
> + tls_config_verify_client(server_config);
> + }
> tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL);
> if (tls_config_set_ciphers(server_config, "compat")
syslogd validate client certificates
Hi,
Add an option to give syslogd a server CA that is used to validate
client certificates. This prevent that malicious clients can send
fake messages.
ok?
bluhm
Index: usr.sbin/syslogd/syslogd.8
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.8,v
retrieving revision 1.42
diff -u -p -r1.42 syslogd.8
--- usr.sbin/syslogd/syslogd.8 12 Jul 2016 23:04:30 - 1.42
+++ usr.sbin/syslogd/syslogd.8 5 Sep 2016 01:18:00 -
@@ -44,6 +44,7 @@
.Op Fl C Ar CAfile
.Op Fl c Ar cert_file
.Op Fl f Ar config_file
+.Op Fl K Ar server_CAfile
.Op Fl k Ar key_file
.Op Fl m Ar mark_interval
.Op Fl p Ar log_socket
@@ -83,6 +84,11 @@ PEM encoded file containing CA certifica
validation;
the default is
.Pa /etc/ssl/cert.pem .
+Validate remote server certificates and their hostnames with this
+CA to prevent that malicious servers read messages.
+This validation can be explicitly turned off using the
+.Fl V
+switch.
.It Fl c Ar cert_file
PEM encoded file containing the client certificate for TLS connections
to a remote host.
@@ -102,6 +108,12 @@ the default is
.Pa /etc/syslog.conf .
.It Fl h
Include the hostname when forwarding messages to a remote host.
+.It Fl K Ar server_CAfile
+PEM encoded file containing CA certificates used for certificate
+valitation on the local server socket.
+By default incomming connections from any TLS server are allowed.
+Enforce client certificates and validate them with this CA to prevent
+that malicious clients send fake messages.
.It Fl k Ar key_file
PEM encoded file containing the client private key for TLS connections
to a remote host.
@@ -170,7 +182,8 @@ accept input from the UDP port.
Some software wants this, but you can be subjected to a variety of
attacks over the network, including attackers remotely filling logs.
.It Fl V
-Do not perform server certificate and hostname validation.
+Do not perform remote server certificate and hostname validation
+when sending messages.
.El
.Pp
.Nm
Index: usr.sbin/syslogd/syslogd.c
===
RCS file: /data/mirror/openbsd/cvs/src/usr.sbin/syslogd/syslogd.c,v
retrieving revision 1.212
diff -u -p -r1.212 syslogd.c
--- usr.sbin/syslogd/syslogd.c 29 Aug 2016 20:31:56 - 1.212
+++ usr.sbin/syslogd/syslogd.c 5 Sep 2016 01:20:06 -
@@ -225,8 +225,9 @@ struct tls *server_ctx;
struct tls_config *client_config, *server_config;
const char *CAfile = "/etc/ssl/cert.pem"; /* file containing CA certificates */
intNoVerify = 0; /* do not verify TLS server x509 certificate */
-char *ClientCertfile = NULL;
-char *ClientKeyfile = NULL;
+const char *ClientCertfile = NULL;
+const char *ClientKeyfile = NULL;
+const char *ServerCAfile = NULL;
inttcpbuf_dropped = 0; /* count messages dropped from TCP or TLS */
#define CTL_READING_CMD1
@@ -356,7 +357,7 @@ main(int argc, char *argv[])
int ch, i;
int lockpipe[2] = { -1, -1}, pair[2], nullfd, fd;
- while ((ch = getopt(argc, argv, "46a:C:c:dFf:hk:m:np:S:s:T:U:uV"))
+ while ((ch = getopt(argc, argv, "46a:C:c:dFf:hK:k:m:np:S:s:T:U:uV"))
!= -1)
switch (ch) {
case '4': /* disable IPv6 */
@@ -388,6 +389,9 @@ main(int argc, char *argv[])
case 'h': /* RFC 3164 hostnames */
IncludeHostname = 1;
break;
+ case 'K': /* verify client with CA file */
+ ServerCAfile = optarg;
+ break;
case 'k': /* file containing client key */
ClientKeyfile = optarg;
break;
@@ -625,6 +629,17 @@ main(int argc, char *argv[])
break;
}
+ if (ServerCAfile) {
+ if (tls_config_set_ca_file(server_config,
+ ServerCAfile) == -1) {
+ logerrortlsconf("Load server TLS CA failed",
+ server_config);
+ /* avoid reading default certs in chroot */
+ tls_config_set_ca_mem(server_config, "", 0);
+ } else
+ logdebug("Server CAfile %s\n", ServerCAfile);
+ tls_config_verify_client(server_config);
+ }
tls_config_set_protocols(server_config, TLS_PROTOCOLS_ALL);
if (tls_config_set_ciphers(server_config, "compat") != 0)
logerrortlsconf("Set server TLS ciphers failed",
@@ -1453,9 +1468,9 @@ usage(void)
(void)fprintf(stderr,
"usage: syslogd [-46dFhnuV] [-a path] [-C CAfile] [-c cert_file]\n"
- "\t[-f config_file] [-k
