Re: Paging Han Boetes. [was Re: letsencrypt on 6.0]

Wed, 03 Aug 2016 04:11:34 -0700 

On 2016/07/30 17:04, Giovanni Bechis wrote:
> On Sat, Jul 30, 2016 at 11:57:14AM +0100, Stuart Henderson wrote:
> > Forwarding from an offlist message because incoming mail is broken..
> > 
> no problem for me, just renewed my certificate with authenticator=standalone 
> @i386 (OpenBSD 6.0 (GENERIC) #1915: Tue Jul 26 09:46:01 MDT 2016)
> Have you added wxallowed in fstab(5) ?

So wxallowed is required for this; it turns out that this is
due to devel/py-cffi. py-cffi does an mmap which is currently
RWX unless it detects PaX on Linux in which case it changes
it to RW. But if I change things to permit that, we run into
another problem: the library using py-cffi in this case is
py-cryptography, which calls out to libcrypto, and it segfaults
after doing so:

(gdb) bt
#0  0x000003d6f2169fc0 in ?? ()
#1  0x000003d6bef3ba4c in internal_verify (ctx=0x7f7ffffe4eb0)
    at 
/usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:1611
#2  0x000003d6bef3d109 in X509_verify_cert (ctx=0x7f7ffffe4eb0)
    at /usr/src/lib/libcrypto/crypto/../../libssl/src/crypto/x509/x509_vfy.c:374
#3  0x000003d78b79c8f0 in ssl_verify_cert_chain (s=0x3d6c5708000, sk=Variable 
"sk" is not available.
)
    at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/ssl_cert.c:448
#4  0x000003d78b78c030 in ssl3_get_server_certificate (s=0x3d6c5708000)
    at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_clnt.c:1015
#5  0x000003d78b78d421 in ssl3_connect (s=0x3d6c5708000)
    at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s3_clnt.c:297
#6  0x000003d78b794c4e in ssl23_connect (s=0x3d6c5708000)
    at /usr/src/lib/libssl/ssl/../../libssl/src/ssl/s23_clnt.c:477
#7  0x000003d78a76f08c in _cffi_f_SSL_do_handshake ()
   from 
/usr/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/_openssl.so
#8  0x000003d70659d528 in PyEval_EvalFrameEx ()
   from /usr/local/lib/libpython2.7.so.0.0
#9  0x000003d70659d2ea in PyEval_EvalFrameEx ()
   from /usr/local/lib/libpython2.7.so.0.0
#10 0x000003d70659f33d in PyEval_EvalCodeEx ()

1604                 ok = x509_check_cert_time(ctx, xs, 0);
1605                 if (!ok)
1606                         goto end;
1607 
1608                 /* The last error (if any) is still in the error value */
1609                 ctx->current_issuer = xi;
1610                 ctx->current_cert = xs;
1611                 ok = (*cb)(1, ctx);
1612                 if (!ok)
1613                         goto end;

At the moment I don't have any ideas other than "mark /usr/local
as wxallowed if you want to run things using py-cffi".  Can anyone
think of something better?

Reply via email to