Up to [local] / src / usr.sbin / relayd
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.12, Thu Jan 22 09:26:05 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
CVS Tags: HEAD
Changes since 1.11: +1 -1 lines
FILE REMOVED
LibreSSL now supports loading of CA certificates from memory, replace the internal and long-serving ssl_ctx_load_verify_memory() function with a call to the SSL_CTX_load_verify_mem() API function. The ssl_privsep.c file with hacks for using OpenSSL in privsep'ed processes can now go away; portable versions of smtpd and relayd should start depending on LibreSSL or they have to carry ssl_privsep.c in openbsd-compat to work with legacy OpenSSL. No functional change. Based on previous discussions with gilles@ bluhm@ and many others OK bluhm@ (as part of the libcrypto/libssl/libtls diff)
Revision 1.11 / (download) - annotate - [select for diffs], Fri Jan 16 15:08:52 2015 UTC (9 years, 4 months ago) by reyk
Branch: MAIN
Changes since 1.10: +1 -64 lines
Diff to previous 1.10 (colored)
SSL_CTX_use_certificate_chain() has been added to LibreSSL and there is no need to keep a local copy in ssl_privsep.c. This adds a little burden on OpenSMTPD-portable because it will have to put it in openbsd-compat for compatibility with legacy OpenSSL. OK gilles@
Revision 1.10 / (download) - annotate - [select for diffs], Fri Apr 18 13:55:26 2014 UTC (10 years, 1 month ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_6_BASE,
OPENBSD_5_6
Changes since 1.9: +1 -33 lines
Diff to previous 1.9 (colored)
Introduce privsep for private keys: - Move RSA private keys to a new separate process instead of copying them to the relays. A custom RSA engine is used by the SSL/TLS code of the relay processes to send RSA private key encryption/decryption (also used for sign/verify) requests to the new "ca" processes instead of operating on the private key directly. - Each relay process gets its own related ca process. Setting "prefork 5" in the config file will spawn 10 processes (5 relay, 5 ca). This diff also reduces the default number of relay processes from 5 to 3 which should be suitable in most installations without a very heavy load. - Don't keep text versions of the keys in memory, parse them once and keep the binary representation. This might still be the case in OpenSSL's internals but will be fixed in the library. This diff doesn't prevent something like "heartbleed" but adds an additional mitigation to prevent leakage of the private keys from the processes doing SSL/TLS. With feedback from many ok benno@
Revision 1.9 / (download) - annotate - [select for diffs], Thu Oct 4 20:53:30 2012 UTC (11 years, 8 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_5_5_BASE,
OPENBSD_5_5,
OPENBSD_5_4_BASE,
OPENBSD_5_4,
OPENBSD_5_3_BASE,
OPENBSD_5_3
Changes since 1.8: +4 -4 lines
Diff to previous 1.8 (colored)
spacing
Revision 1.8 / (download) - annotate - [select for diffs], Thu Aug 26 13:00:19 2010 UTC (13 years, 9 months ago) by marco
Branch: MAIN
CVS Tags: OPENBSD_5_2_BASE,
OPENBSD_5_2,
OPENBSD_5_1_BASE,
OPENBSD_5_1,
OPENBSD_5_0_BASE,
OPENBSD_5_0,
OPENBSD_4_9_BASE,
OPENBSD_4_9
Changes since 1.7: +9 -9 lines
Diff to previous 1.7 (colored)
stray spaces, no binary change
Revision 1.7 / (download) - annotate - [select for diffs], Thu Apr 2 14:30:51 2009 UTC (15 years, 2 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_8_BASE,
OPENBSD_4_8,
OPENBSD_4_7_BASE,
OPENBSD_4_7,
OPENBSD_4_6_BASE,
OPENBSD_4_6
Changes since 1.6: +84 -1 lines
Diff to previous 1.6 (colored)
add support to specify a ca file (eg. /etc/ssl/cert.pem) to verify ssl server certificates when connecting as an SSL client from relays. it works so far, but needs more testing and is currently lacking support for certificate revocation (like CRL or OCSP). the file ssl_privsep.c is extended to implement more code that should be in openssl to allow loading the ca from chroot...
Revision 1.6 / (download) - annotate - [select for diffs], Sat Nov 24 17:07:28 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
CVS Tags: OPENBSD_4_5_BASE,
OPENBSD_4_5,
OPENBSD_4_4_BASE,
OPENBSD_4_4,
OPENBSD_4_3_BASE,
OPENBSD_4_3
Changes since 1.5: +2 -1 lines
Diff to previous 1.5 (colored)
sort includes, adjust to style(9)
Revision 1.5 / (download) - annotate - [select for diffs], Fri Nov 23 09:22:40 2007 UTC (16 years, 6 months ago) by sthen
Branch: MAIN
Changes since 1.4: +2 -0 lines
Diff to previous 1.4 (colored)
add cvs id ok pyr@
Revision 1.4 / (download) - annotate - [select for diffs], Mon Nov 19 15:31:36 2007 UTC (16 years, 6 months ago) by reyk
Branch: MAIN
Changes since 1.3: +1 -1 lines
Diff to previous 1.3 (colored)
spacing
Revision 1.3 / (download) - annotate - [select for diffs], Fri Sep 28 13:05:28 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.2: +46 -65 lines
Diff to previous 1.2 (colored)
Change the ssl_privsep code to work on char buffers. The fd based code introduced weirdness since all children were accessing the same fd at once. This will also greatly facilitate reloading, no fd-passing will be involved between the parent and relay children. While there, cleanup the code diverting from the original ssl_rsa.c code a bit more. Weird behavior discovery by pascoe@.
Revision 1.2 / (download) - annotate - [select for diffs], Thu Sep 27 13:34:21 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Changes since 1.1: +15 -14 lines
Diff to previous 1.1 (colored)
Simplify ssl_privsep.c, since it won't need to remain synced with the equivalent openssl functions.
Revision 1.1 / (download) - annotate - [select for diffs], Tue Sep 25 08:24:26 2007 UTC (16 years, 8 months ago) by pyr
Branch: MAIN
Introduce two new functions to be able to load certificates while already chrooted and with privileges dropped. This is the very first step in being able to reload a layer 7 configuration. not ok reyk who's away but should be glad to see this in.