Keeps working for me on amd64, although I must say that I am not using as much as I did during import.
All my other fixes have long been merged upstream so far. Official changelog: • Support for UNIX domain socket connections. A backend endpoint can now be specified as a UNIX domain socket, via backend = "/path/to/socket". • New configuration file settings pem-dir and pem-dir-glob. pem-dir can be used to specify a directory for loading certificates, without specifying each file individually. • Support for TLS 1.3. Thanks to Lasse Karstensen. • Fixed a bug that would cause a crash on reload if ocsp-dir was changed. • Add log-level. This supersedes the previous quiet setting, which is now deprecated. • Add proxy-tlv. This enables extra reporting of cipher and protocol as part of the PROXYv2 protocol. • Drop TLSv1.1 from the default TLS protocols list. Most tests pass; they never all passed for me, so this is somewhat expected. Upstream has an annoying bug in their test suite where it may leave processes running. I have added a patch to fix this, but it makes two more tests fail - below output is without my fix; I'd rather have more tests failing than incomplete clean up. I just need to take the time and report to/fix upstream. PASS: tests/test01-start-and-stop.sh PASS: tests/test02-simple-request.sh PASS: tests/test04-listen-with-own-certs.sh PASS: tests/test03-multiple-listen.sh PASS: tests/test08-test-configs.sh PASS: tests/test06-ticket-resume.sh FAIL: tests/test09-wildcard-cert.sh PASS: tests/test05-multiple-listen-SNI.sh PASS: tests/test07-nomatch-abort.sh PASS: tests/test12-cfg.sh FAIL: tests/test13-r82.sh PASS: tests/test10-dflt-certs.sh PASS: tests/test11-cfg.sh SKIP: tests/test15-proxy-v2-npn.sh PASS: tests/test14-ocsp-vfy.sh FAIL: tests/test17-ecc-certs.sh PASS: tests/test16-proxy-v2-alpn.sh PASS: tests/test18-oldcfg.sh PASS: tests/test20-empty-tokens.sh PASS: tests/test19-protos-badly-specified.sh PASS: tests/test22-tls-protos-backend-block.sh SKIP: tests/test25-dynamic-backend-address.sh PASS: tests/test23-tls-protos-tls1_2.sh PASS: tests/test24-tls-protos-tls1_1.sh PASS: tests/test28-separate_keyfiles.sh PASS: tests/test21-tls-protos-reload-bad-spec.sh SKIP: tests/test30-tls-protos-tls1_3.sh PASS: tests/test31-proxy-tlv.sh FAIL: tests/test27-reload.sh PASS: tests/test29-pem-dir.sh ============================================================================ Testsuite summary for hitch 1.5.0 ============================================================================ # TOTAL: 30 # PASS: 23 # SKIP: 3 # XFAIL: 0 # FAIL: 4 # XPASS: 0 # ERROR: 0 While here, use Python 3 during the build (just rst2man). OK? Index: Makefile =================================================================== RCS file: /cvs/ports/security/hitch/Makefile,v retrieving revision 1.5 diff -u -p -r1.5 Makefile --- Makefile 12 Jul 2019 20:49:02 -0000 1.5 +++ Makefile 11 Aug 2019 09:53:28 -0000 @@ -2,8 +2,7 @@ COMMENT = libev-based high performance TLS proxy -DISTNAME = hitch-1.4.8 -REVISION = 2 +DISTNAME = hitch-1.5.0 CATEGORIES = security @@ -19,17 +18,22 @@ MASTER_SITES = https://hitch-tls.org/so # uses pledge() WANTLIB = c crypto ev ssl -BUILD_DEPENDS = textproc/py-docutils +MODULES = lang/python +MODPY_VERSION = ${MODPY_DEFAULT_VERSION_3} +MODPY_RUNDEP = No + +BUILD_DEPENDS = textproc/py-docutils${MODPY_FLAVOR} LIB_DEPENDS = devel/libev>=4 -TEST_DEPENDS = net/curl +TEST_DEPENDS = ${PKGPATH} \ + net/curl SEPARATE_BUILD = Yes CONFIGURE_STYLE = gnu +CONFIGURE_ARGS = --with-rst2man=rst2man${MODPY_BIN_SUFFIX} CONFIGURE_ENV = CPPFLAGS='${CPPFLAGS} -I${LOCALBASE}/include' \ LDFLAGS='${LDFLAGS} -L${LOCALBASE}/lib' -TEST_IS_INTERACTIVE = connects to http://hitch-tls.org, \ - leaves parse_proxy_v2 running in background +TEST_IS_INTERACTIVE = connects to hitch-tls.org:80 and 127.0.0.1:443 post-patch: ${SUBST_CMD} ${WRKSRC}/{hitch.conf.man.rst,src/configuration.c} Index: distinfo =================================================================== RCS file: /cvs/ports/security/hitch/distinfo,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 distinfo --- distinfo 1 May 2018 13:43:59 -0000 1.1.1.1 +++ distinfo 3 Jan 2019 16:55:47 -0000 @@ -1,2 +1,2 @@ -SHA256 (hitch-1.4.8.tar.gz) = 1SumkNkMJbv8pz9eDtQnc4Nm2sEvr0b7WDTkl8wtGsM= -SIZE (hitch-1.4.8.tar.gz) = 297107 +SHA256 (hitch-1.5.0.tar.gz) = DsJUaZKS9z5Bn/J50oNNsxAmGS7zc6kbrdguLccVTQs= +SIZE (hitch-1.5.0.tar.gz) = 304169 Index: patches/patch-hitch_conf_man_rst =================================================================== RCS file: /cvs/ports/security/hitch/patches/patch-hitch_conf_man_rst,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-hitch_conf_man_rst --- patches/patch-hitch_conf_man_rst 1 May 2018 13:43:59 -0000 1.1.1.1 +++ patches/patch-hitch_conf_man_rst 3 Jan 2019 16:59:45 -0000 @@ -3,7 +3,7 @@ $OpenBSD: patch-hitch_conf_man_rst,v 1.1 Index: hitch.conf.man.rst --- hitch.conf.man.rst.orig +++ hitch.conf.man.rst -@@ -139,7 +139,7 @@ ocsp-dir = <string> +@@ -148,7 +148,7 @@ ocsp-dir = <string> ------------------- Directory where Hitch will store and read OCSP responses for @@ -12,7 +12,7 @@ Index: hitch.conf.man.rst Directory must be readable and writable for the configured Hitch user, or automatic retrieval and updating of OCSP responses will not take place. -@@ -348,8 +348,8 @@ The following file shows the syntax needed to get star +@@ -409,8 +409,8 @@ The following file shows the syntax needed to get star # We strongly recommend you create a separate non-privileged hitch # user and group Index: patches/patch-src_configuration_c =================================================================== RCS file: /cvs/ports/security/hitch/patches/patch-src_configuration_c,v retrieving revision 1.1.1.1 diff -u -p -r1.1.1.1 patch-src_configuration_c --- patches/patch-src_configuration_c 1 May 2018 13:43:59 -0000 1.1.1.1 +++ patches/patch-src_configuration_c 3 Jan 2019 16:59:33 -0000 @@ -3,7 +3,7 @@ $OpenBSD: patch-src_configuration_c,v 1. Index: src/configuration.c --- src/configuration.c.orig +++ src/configuration.c -@@ -202,7 +202,7 @@ config_new(void) +@@ -207,7 +207,7 @@ config_new(void) fa->pspec = strdup("default"); HASH_ADD_KEYPTR(hh, r->LISTEN_ARGS, fa->pspec, strlen(fa->pspec), fa); r->LISTEN_DEFAULT = fa; Index: patches/patch-src_hitch_c =================================================================== RCS file: /cvs/ports/security/hitch/patches/patch-src_hitch_c,v retrieving revision 1.3 diff -u -p -r1.3 patch-src_hitch_c --- patches/patch-src_hitch_c 2 Jun 2018 09:51:33 -0000 1.3 +++ patches/patch-src_hitch_c 3 Jan 2019 16:59:29 -0000 @@ -1,15 +1,12 @@ $OpenBSD: patch-src_hitch_c,v 1.3 2018/06/02 09:51:33 kn Exp $ -Prevent crash after reload with ocsp-dir change: -https://github.com/varnish/hitch/pull/265 - Pledge oscp and worker processes. Pledge the main process iff chroot(2) not used. Index: src/hitch.c --- src/hitch.c.orig +++ src/hitch.c -@@ -2984,6 +2984,9 @@ start_workers(int start_index, int count) +@@ -3090,6 +3090,9 @@ start_workers(int start_index, int count) "Refusing to run workers as root.\n"); _exit(1); } @@ -19,7 +16,7 @@ Index: src/hitch.c handle_connections(pfd[0]); exit(0); } else { /* parent. Track new child. */ -@@ -3009,6 +3012,9 @@ start_ocsp_proc(void) +@@ -3115,6 +3118,9 @@ start_ocsp_proc(void) "Refusing to run workers as root.\n"); _exit(1); } @@ -29,17 +26,7 @@ Index: src/hitch.c handle_ocsp_task(); } -@@ -3680,7 +3686,8 @@ reconfigure(int argc, char **argv) - notify_workers(&wu); - - if (CONFIG->OCSP_DIR != NULL) { -- (void) kill(ocsp_proc_pid, SIGTERM); -+ if (ocsp_proc_pid != 0) -+ (void) kill(ocsp_proc_pid, SIGTERM); - /* - * Restarting the OCSP process is taken - * care of in do_wait -@@ -3824,6 +3831,20 @@ main(int argc, char **argv) +@@ -3958,6 +3964,20 @@ main(int argc, char **argv) AZ(VPF_Write(pfh)); atexit(remove_pfh); Index: patches/patch-src_tests_hitch_test_sh =================================================================== RCS file: patches/patch-src_tests_hitch_test_sh diff -N patches/patch-src_tests_hitch_test_sh --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ patches/patch-src_tests_hitch_test_sh 10 Aug 2019 21:30:01 -0000 @@ -0,0 +1,20 @@ +$OpenBSD$ + +accept(2) in parse_proxy_v2.c:111 blocks if a test is skipped; kill +it during cleanup(). + +Index: src/tests/hitch_test.sh +--- src/tests/hitch_test.sh.orig ++++ src/tests/hitch_test.sh +@@ -67,6 +67,11 @@ cleanup() { + done + + rm -rf "$TEST_TMPDIR" ++ ++ # accept(2) in parse_proxy_v2.c:111 will block if test is skipped ++ if PID=$(pgrep -o -xf 'parse_proxy_v2 [0-9]+'); then ++ kill "$PID" ++ fi + } + + trap cleanup EXIT
