"Todd T. Fries" <[email protected]> writes:
> To demonstrate:
>
> openssl s_client -connect www.google.com:443
Heh.
> A fix, probably not the full or correct one:
ok jca@
do_accept(), in s_socket.c calls gethostbyaddr, then gethostbyname if
the former fails...
> Index: openssl.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/openssl/openssl.c,v
> retrieving revision 1.19
> diff -u -p -u -r1.19 openssl.c
> --- openssl.c 17 Oct 2015 07:51:10 -0000 1.19
> +++ openssl.c 20 Nov 2015 06:06:47 -0000
> @@ -438,7 +438,7 @@ main(int argc, char **argv)
> arg.data = NULL;
> arg.count = 0;
>
> - if (pledge("stdio inet rpath wpath cpath proc flock tty", NULL) == -1) {
> + if (pledge("stdio inet rpath wpath cpath proc flock tty dns", NULL) ==
> -1) {
> fprintf(stderr, "openssl: pledge: %s\n", strerror(errno));
> exit(1);
> }
> Index: s_client.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
> retrieving revision 1.23
> diff -u -p -u -r1.23 s_client.c
> --- s_client.c 17 Oct 2015 15:00:11 -0000 1.23
> +++ s_client.c 20 Nov 2015 06:06:47 -0000
> @@ -365,7 +365,7 @@ s_client_main(int argc, char **argv)
> long socket_mtu = 0;
>
> if (single_execution) {
> - if (pledge("stdio inet rpath wpath cpath tty", NULL) == -1) {
> + if (pledge("stdio inet rpath wpath cpath tty dns", NULL) == -1)
> {
> perror("pledge");
> exit(1);
> }
--
jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
