Yes, ok.. ocsp will need dns. -Bob
On Tue, Apr 26, 2016 at 11:19:33AM +0200, Sebastien Marie wrote: > Hi, > > It has been reported to landry and me a pledge problem with the > following openssl command: > > $ /usr/bin/openssl ocsp -issuer bla.sub+ca -cert bla.crt -url > http://ocsp.startssl.com/sub/class2/server/ca -header Host ocsp.startssl.com > -respout /tmp/ocsp.rv8rDSvf6f > abort (core dumped) > > and dmesg: > openssl(15019): syscall 97 "dns" > > backtrace at https://gist.github.com/kAworu/dc30ead97d3b44b5cabb67b134362820 > > After testing, the following diff corrects the problem. > > OK ? > -- > Sebastien Marie > > > Index: ocsp.c > =================================================================== > RCS file: /cvs/src/usr.bin/openssl/ocsp.c,v > retrieving revision 1.7 > diff -u -p -r1.7 ocsp.c > --- ocsp.c 17 Oct 2015 15:00:11 -0000 1.7 > +++ ocsp.c 26 Apr 2016 09:08:54 -0000 > @@ -147,7 +147,7 @@ ocsp_main(int argc, char **argv) > const char *errstr = NULL; > > if (single_execution) { > - if (pledge("stdio inet rpath wpath cpath", NULL) == -1) { > + if (pledge("stdio inet dns rpath wpath cpath", NULL) == -1) { > perror("pledge"); > exit(1); > } >
