Re: NEW: security/hitch (pledged)

2018-04-28 Thread Klemens Nanni 
On Sat, Apr 28, 2018 at 10:59:36PM +0200, Jeremie Courreges-Anglas wrote:
> On Sat, Apr 28 2018, Klemens Nanni  wrote:
> > Take three with updated pledge diff also fixing an actual bug in the
> > reloading logic when the `ocsp-dir' parameter has changed.
> >
> > It's already reported upstream, I discovered this while playing around
> > to reduce pledge promises.
> 
> I don't understand why you seem to hold a grudge against
> CONFIGURE_STYLE=gnu.  Using it, you could drop CONFIGURE_ARGS and
> TEST_TARGET.
Just getting used to it :)
> 
> Using PORTS_PRIVSEP=Yes and the default pf rules blocking _pbuild,
> I get:
> 
> 
> Testsuite summary for hitch 1.4.8
> 
> # TOTAL: 27
> # PASS:  6
> # SKIP:  1
> # XFAIL: 0
> # FAIL:  20
> # XPASS: 0
> # ERROR: 0
> 
Oh, that's why I put the comment there.

> Instead of adding a comment, I would add TEST_IS_INTERACTIVE = connects to ...
That'll do, thanks.

I'll send a new tarball soon together with pledge updates.

Re: NEW: security/hitch (pledged)

2018-04-28 Thread Jeremie Courreges-Anglas 
On Sat, Apr 28 2018, Klemens Nanni  wrote:
> Take three with updated pledge diff also fixing an actual bug in the
> reloading logic when the `ocsp-dir' parameter has changed.
>
> It's already reported upstream, I discovered this while playing around
> to reduce pledge promises.

I don't understand why you seem to hold a grudge against
CONFIGURE_STYLE=gnu.  Using it, you could drop CONFIGURE_ARGS and
TEST_TARGET.

Using PORTS_PRIVSEP=Yes and the default pf rules blocking _pbuild,
I get:


Testsuite summary for hitch 1.4.8

# TOTAL: 27
# PASS:  6
# SKIP:  1
# XFAIL: 0
# FAIL:  20
# XPASS: 0
# ERROR: 0

Instead of adding a comment, I would add TEST_IS_INTERACTIVE = connects to ...

-- 
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF  DDCC 0DFA 74AE 1524 E7EE

Re: NEW: security/hitch (pledged)

2018-04-28 Thread Klemens Nanni 
Take three with updated pledge diff also fixing an actual bug in the
reloading logic when the `ocsp-dir' parameter has changed.

It's already reported upstream, I discovered this while playing around
to reduce pledge promises.


hitch3.tgz
Description: Binary data

Re: NEW: security/hitch (pledged)

2018-04-27 Thread Klemens Nanni 
Updated tarball with a proper hitch.rc this time.

The main process is now pledged only if hitch doesn't chroot(2). I
cannot simply hoist the call yet.


hitch2.tgz
Description: Binary data

NEW: security/hitch (pledged)

2018-04-27 Thread Klemens Nanni 
I've been working on hitch every now and then for the last few months,
upstream has merged all my (OpenBSD related) fixes so it's time for a
port:

$ pi hitch
Information for inst:hitch-1.4.8

Comment:
libev-based high performance TLS proxy

Description:
Hitch is libev-based high performance TLS proxy designed to handle 10s 
of
thousands of connections efficiently on multicore machines.

It supports ALPN, SNI, PROXY protocol, automatic OCSP stapling as well 
as
seamless configuration reloads of certificates and listen endpoints.

Maintainer: Klemens Nanni 

WWW: https://hitch-tls.org

It's working fine for me on amd64. All tests pass altough two of them
might leave a background job running, which I'll deal with in the future.

pledge(2) has been incorporated, some corners can definitely be
tightened, but for now I'd like to hear some feedback.


hitch.tgz
Description: Binary data