From cf2ba9bd55589e2ca5fe6d3d3460701b6936a43c Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 5 Nov 2018 00:13:36 +0000
Subject: [PATCH] Be stricter with TLS configuration for ntpd constraints.

We already require TLSv1.2 so it does not make sense to be liberal with the
cipher suites that we allow. Additionally, it is potentially dangerous to
disable certificate verification when no CA data is available (which is
currently an impossible case to reach).

Also ensure we check the return value from tls_config_set_ca_mem() (as
spotted by tb@).

ok kn@ tb@
---
 src/usr.sbin/ntpd/constraint.c | 10 ++--------
 1 file changed, 2 insertions(+), 8 deletions(-)

diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
index 7e259af2..b65ee446 100644
--- a/src/usr.sbin/ntpd/constraint.c
+++ b/src/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.35 2016/12/05 10:41:33 rzalamena Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.36 2018/11/05 00:13:36 jsing Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -869,15 +869,9 @@ httpsdate_init(const char *addr, const char *port, const char *hostname,
 
 	if ((httpsdate->tls_config = tls_config_new()) == NULL)
 		goto fail;
-
-	if (tls_config_set_ciphers(httpsdate->tls_config, "all") != 0)
+	if (tls_config_set_ca_mem(httpsdate->tls_config, ca, ca_len) == -1)
 		goto fail;
 
-	if (ca == NULL || ca_len == 0)
-		tls_config_insecure_noverifycert(httpsdate->tls_config);
-	else
-		tls_config_set_ca_mem(httpsdate->tls_config, ca, ca_len);
-
 	return (httpsdate);
 
  fail: