Harden TLS for ntpd constraints - stop disabling server name verification, - wireguard-openbsd - WireGuard implementation for the OpenBSD kernel

diff options

author	jsing <jsing@openbsd.org>	2016-05-21 13:46:10 +0000
committer	jsing <jsing@openbsd.org>	2016-05-21 13:46:10 +0000
commit	9083f23cce9490be4e9accd4bc20f2fd1001d5a4 (patch)
tree	4c0f45be3af9c4baefe7f62b5b2b9bffeff1c99c /sys/kern/subr_disk.c
parent	Dynamically attach imxiic(4) and use the FDT to enumerate devices on i2c (diff)
download	wireguard-openbsd-9083f23cce9490be4e9accd4bc20f2fd1001d5a4.tar.xz wireguard-openbsd-9083f23cce9490be4e9accd4bc20f2fd1001d5a4.zip

Harden TLS for ntpd constraints - stop disabling server name verification,

ensure that we load the CA certificates and use tls_connect_servername() so that we can verify the server we are connecting to (even though we've already resolved the hostname). Also add additional warnings for TLS connect and TLS write failures so that we know what is happening and why. Lack of server name verification also reported by Luis M. Merino <luismiguelmerino at gmail dot com> - thanks! ok deraadt@ reyk@

Diffstat (limited to 'sys/kern/subr_disk.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: