Re: ntpd with default config broken in -current

2017-01-02 Thread Stuart Henderson
On 2017/01/02 16:37, Matthieu Herrb wrote:
> On Mon, Jan 02, 2017 at 03:59:51PM +0100, Matthieu Herrb wrote:
> > Hi,
> > 
> > running -current on amd64 and i386 with the default /etc/ntpd.conf,
> > ntpd doesn't send any NTP request and doesn't sync the clock...
> > 
> > mirrorball% ntpctl -sa
> > 0/4 peers valid, clock unsynced
> > 
> > peer
> >wt tl st  next  poll  offset   delay  jitter
> > 151.80.19.218 from pool pool.ntp.org
> > 1  2  -0s0s  peer not valid 
> > 37.187.104.44 from pool pool.ntp.org
> > 1  2  -0s0s  peer not valid 
> > 37.187.2.84 from pool pool.ntp.org
> > 1  2  -0s0s  peer not valid 
> > 163.172.163.169 from pool pool.ntp.org
> > 1  2  -0s0s  peer not valid 
> > 
> > tcpdump -n -i em0 port 123 doesn't show any trafic on ntp port
> >
> 
> Looking a bit more, this is caused by a cert validation failure during
> constraints checks.

> The www.google.com certificate fails verification because the 'Equifax
> Secure Certificate Authority' root CA certificate that is on top of
> the www.google.com certificate chain is missing from newer
> /etc/ssl/cert.pem.

It fails verification because alt chains aren't working correctly.
It's this problem which I mentioned on another list:

- Forwarded message from Stuart Henderson  -

From: Stuart Henderson 
Date: Mon, 2 Jan 2017 13:26:07 +
Subject: alt chains / verify callback [Re: CVS: cvs.openbsd.org: src]

On 2016/12/26 09:20, Joel Sing wrote:
> CVSROOT:  /cvs
> Module name:  src
> Changes by:   js...@cvs.openbsd.org   2016/12/26 09:20:58
> 
> Modified files:
>   lib/libtls : tls.c tls_client.c 
> 
> Log message:
> Hook up a certificate verify callback so that we can set user friendly
> error messages, instead of libssl error strings. This gives us messages
> like:
> 
> certificate verification failed: certificate has expired
> 
> Instead of:
> 
> 14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
> 
> This also lets us always enable peer verification since the no verification
> case is now handled via the callback.
> 
> Tested by tedu@
> 
> ok beck@
> 

naddy ran into a problem fetching ports distfiles from a google server
with ftp(1) with the new cert.pem, whereas it was working OK for me
when I tested the cert.pem update with ftp(1) on a slightly older
snapshot (23 Dec).

I've bisected and found that this was the commit that stopped it from
working. However testing further I find that curl(1) (which doesn't
use libtls) also fails in a similar way.

google's chain looks like this;

---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=www.google.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority G2
 1 s:/C=US/O=Google Inc/CN=Google Internet Authority G2
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
 2 s:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---

With the new cert.pem the old 1024-bit "Equifax Secure Certificate Authority"
cert is no longer included, so alt chains need to work to be able to connect to
it (GeoTrust Global CA is in cert.pem).

On -current:

$ nc -vvc google.com 443
Connection to google.com 443 port [tcp/https] succeeded!
nc: tls handshake failed (certificate verification failed: certificate not 
trusted)

On a machine with new cert.pem but older libtls:

$ ssh jodrell nc -vvc google.com 443
Connection to google.com 443 port [tcp/https] succeeded!
TLS handshake negotiated TLSv1.2/ECDHE-ECDSA-CHACHA20-POLY1305 with host 
google.com
Peer name: google.com
Subject: /C=US/ST=California/L=Mountain View/O=Google Inc/CN=*.google.com
Issuer: /C=US/O=Google Inc/CN=Google Internet Authority G2
Valid From: Thu Dec 15 14:04:15 2016
Valid Until: Thu Mar  9 13:35:00 2017
Cert Hash: 
SHA256:c6ad71b8ad015bff4df56886261d0f975caa3ae427a3e68c2f8bf92f36824d4b
OCSP URL: http://clients1.google.com/ocsp

And on either machine with curl:

$ curl https://www.google.com/
curl: (51) SSL certificate verify result: certificate not trusted (27)

curl is not using SSL_CTX_set_cert_verify_callback; in that case the failure
is coming from SSL_get_verify_result -

lib/vtls/openssl.c

2796 lerr = data->set.ssl.certverifyresult =
2797   SSL_get_verify_result(connssl->handle);
2798 
2799 if(data->set.ssl.certverifyresult != X509_V_OK) {
2800   if(data->set.ssl.verifypeer) {
2801 /* We probably never reach this, because SSL_connect() will fail
2802and we return earlier if verifypeer is set? */
2803 if(strict)
2804   failf(data, "SSL certificate verify result: %s (%ld)",
2805 X509_verify_cert_error_string(lerr), lerr);
2806 result = CURLE_PEER_FAILED_VERIFICATION;
2807   }

Does anyone have ideas to fix it? If not, which of the temporary workarounds
would 

Re: ntpd with default config broken in -current

2017-01-02 Thread Matthieu Herrb
On Mon, Jan 02, 2017 at 03:59:51PM +0100, Matthieu Herrb wrote:
> Hi,
> 
> running -current on amd64 and i386 with the default /etc/ntpd.conf,
> ntpd doesn't send any NTP request and doesn't sync the clock...
> 
> mirrorball% ntpctl -sa
> 0/4 peers valid, clock unsynced
> 
> peer
>wt tl st  next  poll  offset   delay  jitter
> 151.80.19.218 from pool pool.ntp.org
> 1  2  -0s0s  peer not valid 
> 37.187.104.44 from pool pool.ntp.org
> 1  2  -0s0s  peer not valid 
> 37.187.2.84 from pool pool.ntp.org
> 1  2  -0s0s  peer not valid 
> 163.172.163.169 from pool pool.ntp.org
> 1  2  -0s0s  peer not valid 
> 
> tcpdump -n -i em0 port 123 doesn't show any trafic on ntp port
>

Looking a bit more, this is caused by a cert validation failure during
constraints checks.

mirrorball% doas ntpd -d  -v
ntp engine ready
constraint request to 74.125.232.243
constraint request to 74.125.232.240
constraint request to 74.125.232.242
constraint request to 74.125.232.244
constraint request to 2a00:1450:4010:c03::6a
constraint request to 74.125.232.241
tls write failed: 74.125.232.243 (www.google.com): certificate verification 
failed: certificate not trusted
tls write failed: 74.125.232.240 (www.google.com): certificate verification 
failed: certificate not trusted
no constraint reply from 74.125.232.243 received in time, next query 900s
tls write failed: 74.125.232.242 (www.google.com): certificate verification 
failed: certificate not trusted
no constraint reply from 74.125.232.240 received in time, next query 900s
tls write failed: 74.125.232.244 (www.google.com): certificate verification 
failed: certificate not trusted
no constraint reply from 74.125.232.242 received in time, next query 900s
tls write failed: 74.125.232.241 (www.google.com): certificate verification 
failed: certificate not trusted
no constraint reply from 74.125.232.244 received in time, next query 900s
no constraint reply from 74.125.232.241 received in time, next query 900s
tls write failed: 2a00:1450:4010:c03::6a (www.google.com): certificate 
verification failed: certificate not trusted
no constraint reply from 2a00:1450:4010:c03::6a received in time, next
query 900s

The www.google.com certificate fails verification because the 'Equifax
Secure Certificate Authority' root CA certificate that is on top of
the www.google.com certificate chain is missing from newer
/etc/ssl/cert.pem.


-- 
Matthieu Herrb



ntpd with default config broken in -current

2017-01-02 Thread Matthieu Herrb
Hi,

running -current on amd64 and i386 with the default /etc/ntpd.conf,
ntpd doesn't send any NTP request and doesn't sync the clock...

mirrorball% ntpctl -sa
0/4 peers valid, clock unsynced

peer
   wt tl st  next  poll  offset   delay  jitter
151.80.19.218 from pool pool.ntp.org
1  2  -0s0s  peer not valid 
37.187.104.44 from pool pool.ntp.org
1  2  -0s0s  peer not valid 
37.187.2.84 from pool pool.ntp.org
1  2  -0s0s  peer not valid 
163.172.163.169 from pool pool.ntp.org
1  2  -0s0s  peer not valid 

tcpdump -n -i em0 port 123 doesn't show any trafic on ntp port


Internet:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
defaultblackipUGS0   55 - 8 em0  
224/4  localhost  URS0   79 32768 8 lo0  
127/8  localhost  UGRS   00 32768 8 lo0  
localhost  localhost  UHhl   2   46 32768 1 lo0  
192.168.31/24  mirrorball UCn5 1600 - 4 em0  
mirrorball b8:ae:ed:72:d0:cd  UHLl   0  253 - 1 em0  
alix   00:0d:b9:15:76:50  UHLc   0  851 - 3 em0  
moonshine  10:78:d2:eb:7d:d7  UHLc   1  221 - 3 em0  
freenas00:9c:02:a0:45:b3  UHLc   2   15 - 3 em0  
blackip00:08:a2:09:99:52  UHLch  1   30 - 3 em0  
black  00:00:24:cd:7e:50  UHLc   0  520 - 3 em0  
192.168.31.255 mirrorball UHb15 - 1 em0  

Internet6:
DestinationGatewayFlags   Refs  Use   Mtu  Prio Iface
defaultfe80::31:200%em0   UGS2   39 - 8 em0  
::/96  localhost  UGRS   00 32768 8 lo0  
::/104 localhost  UGRS   00 32768 8 lo0  
localhost  localhost  UHhl  14   28 32768 1 lo0  
::127.0.0.0/104localhost  UGRS   00 32768 8 lo0  
::224.0.0.0/100localhost  UGRS   00 32768 8 lo0  
::255.0.0.0/104localhost  UGRS   00 32768 8 lo0  
:::0.0.0.0/96  localhost  UGRS   00 32768 8 lo0  
2002::/24  localhost  UGRS   00 32768 8 lo0  
2002:7f00::/24 localhost  UGRS   00 32768 8 lo0  
2002:e000::/20 localhost  UGRS   00 32768 8 lo0  
2002:ff00::/24 localhost  UGRS   00 32768 8 lo0  
2a03:7220:8081:610 mirrorball.herrb.n UCn42 - 4 em0  
mirrorball.herrb.n b8:ae:ed:72:d0:cd  UHLl   0  154 - 1 em0  
blackip.herrb.net  00:08:a2:09:99:52  UHLc   0  161 - 3 em0  
2a03:7220:8081:610 00:0d:b9:15:76:50  UHLc   2  195 - 3 em0  
freedom.herrb.net  00:23:8b:f2:b7:a3  UHLc   1  177 - 3 em0  
nebraska.herrb.net 7c:7a:91:ef:4e:d0  UHLc   2   47 - 3 em0  
fe80::/10  localhost  UGRS   01 32768 8 lo0  
fec0::/10  localhost  UGRS   00 32768 8 lo0  
fe80::%em0/64  fe80::baae:edff:fe UCn10 - 4 em0  
fe80::31:200%em0   00:08:a2:09:99:52  UHLch  1  427 - 3 em0  
fe80::baae:edff:fe b8:ae:ed:72:d0:cd  UHLl   0   51 - 1 em0  
fe80::1%lo0fe80::1%lo0UHl00 32768 1 lo0  
ff01::/16  localhost  UGRS   01 32768 8 lo0  
ff01::%em0/32  fe80::baae:edff:fe Um 01 - 4 em0  
ff01::%lo0/32  localhost  Um 01 32768 4 lo0  
ff02::/16  localhost  UGRS   01 32768 8 lo0  
ff02::%em0/32  fe80::baae:edff:fe Um 04 - 4 em0  
ff02::%lo0/32  localhost  Um 01 32768 4 lo0  

OpenBSD 6.0-current (GENERIC.MP) #15: Mon Jan  2 13:05:09 CET 2017
matth...@mirrorball.herrb.net:/usr/obj/GENERIC.MP
real mem = 8453414912 (8061MB)
avail mem = 8192557056 (7813MB)
mpath0 at root
scsibus0 at mpath0: 256 targets
mainbus0 at root
bios0 at mainbus0: SMBIOS rev. 2.8 @ 0xa2ee6000 (52 entries)
bios0: vendor Intel Corporation version "RYBDWi35.86A.0353.2015.1222.0947" date 
12/22/2015
bios0: Intel Corporation NUC5i3RYB
acpi0 at bios0: rev 2
acpi0: sleep states S0 S3 S4 S5
acpi0: tables DSDT FACP APIC FPDT FIDT MCFG HPET SSDT UEFI LPIT SSDT ASF! SSDT 
SSDT SSDT DMAR BGRT
acpi0: wakeup devices PEGP(S4) PEG0(S4) PEGP(S4) PEG1(S4) PEGP(S4) PEG2(S4) 
PXSX(S4) RP01(S4) PXSX(S4) RP02(S4) PXSX(S4) RP03(S4) PXSX(S4) RP04(S4) 
PXSX(S4) RP05(S4) [...]
acpitimer0 at acpi0: 3579545 Hz, 24 bits
acpimadt0 at