53 lines
1.6 KiB
Text
53 lines
1.6 KiB
Text
Index: src/main.c
|
|
--- src/main.c.orig
|
|
+++ src/main.c
|
|
@@ -460,14 +460,6 @@ int main( int argc, char *argv[] )
|
|
/* Set up OpenSSL thread protection */
|
|
ssl_thread_setup(fn);
|
|
|
|
-#ifndef HAVE_RAND_EGD
|
|
- if ( RAND_egd( ( RAND_file_name( f_randfile, sizeof( f_randfile ) ) == f_randfile ) ? f_randfile : "/.rnd" ) )
|
|
-#endif
|
|
- {
|
|
- if ( RAND_load_file( f_randfile, -1 ) )
|
|
- RAND_write_file( f_randfile );
|
|
- }
|
|
-
|
|
SSL_load_error_strings();
|
|
|
|
/*
|
|
@@ -681,6 +673,22 @@ int main( int argc, char *argv[] )
|
|
if ( BecomeNonRoot() )
|
|
exit( 1 );
|
|
|
|
+ /*
|
|
+ * Optional dir accessed at runtime if it exists, but allow unveil() to fail
|
|
+ * so the daemon can still run if the dir does not exist.
|
|
+ */
|
|
+ unveil("/etc/ssl/certs", "r");
|
|
+ if ( unveil(NULL, NULL) != 0 )
|
|
+ {
|
|
+ syslog(LOG_ERR, "%s: unveil() failed: [%d]\n", fn, rc);
|
|
+ exit( 1 );
|
|
+ }
|
|
+ if ( pledge("stdio inet dns rpath", NULL) != 0 )
|
|
+ {
|
|
+ syslog(LOG_ERR, "%s: pledge() failed: [%d]\n", fn, rc);
|
|
+ exit( 1 );
|
|
+ }
|
|
+
|
|
/* some misc thread setup */
|
|
rc = pthread_attr_init( &attr );
|
|
if ( rc )
|
|
@@ -1574,9 +1582,9 @@ static int verify_callback(int ok, X509_STORE_CTX * ct
|
|
verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
|
|
}
|
|
}
|
|
- switch (ctx->error) {
|
|
+ switch (err) {
|
|
case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
|
|
- X509_NAME_oneline(X509_get_issuer_name(ctx->current_cert), buf, sizeof(buf));
|
|
+ X509_NAME_oneline(X509_get_issuer_name(err_cert), buf, sizeof(buf));
|
|
syslog(LOG_NOTICE, "issuer= %s", buf);
|
|
break;
|
|
case X509_V_ERR_CERT_NOT_YET_VALID:
|