Browse Source

Be stricter with TLS configuration for ntpd constraints.

We already require TLSv1.2 so it does not make sense to be liberal with the
cipher suites that we allow. Additionally, it is potentially dangerous to
disable certificate verification when no CA data is available (which is
currently an impossible case to reach).
Also ensure we check the return value from tls_config_set_ca_mem() (as
spotted by tb@).
ok kn@ tb@
OPENBSD_6_5
jsing 6 years ago
parent
commit
cf2ba9bd55
1 changed files with 2 additions and 8 deletions
  1. +2
    -8
      src/usr.sbin/ntpd/constraint.c

+ 2
- 8
src/usr.sbin/ntpd/constraint.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: constraint.c,v 1.35 2016/12/05 10:41:33 rzalamena Exp $ */
/* $OpenBSD: constraint.c,v 1.36 2018/11/05 00:13:36 jsing Exp $ */
/* /*
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@ -869,15 +869,9 @@ httpsdate_init(const char *addr, const char *port, const char *hostname,
if ((httpsdate->tls_config = tls_config_new()) == NULL) if ((httpsdate->tls_config = tls_config_new()) == NULL)
goto fail; goto fail;
if (tls_config_set_ciphers(httpsdate->tls_config, "all") != 0)
if (tls_config_set_ca_mem(httpsdate->tls_config, ca, ca_len) == -1)
goto fail; goto fail;
if (ca == NULL || ca_len == 0)
tls_config_insecure_noverifycert(httpsdate->tls_config);
else
tls_config_set_ca_mem(httpsdate->tls_config, ca, ca_len);
return (httpsdate); return (httpsdate);
fail: fail:


Loading…
Cancel
Save