On Fri, Nov 20, 2015 at 01:58:57PM +0100, Jérémie Courrèges-Anglas wrote:
> "Todd T. Fries" <t...@fries.net> writes:
>
> > To demonstrate:
> >
> > openssl s_client -connect www.google.com:443
>
> Heh.
>
> > A fix, probably not the full or correct one:
>
> ok jca@
>
> do_accept(), in s_socket.c calls gethostbyaddr, then gethostbyname if
> the former fails...
I ran into this today as well. Can the patch below be committed or
should there be a different fix?
>
> > Index: openssl.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/openssl/openssl.c,v
> > retrieving revision 1.19
> > diff -u -p -u -r1.19 openssl.c
> > --- openssl.c 17 Oct 2015 07:51:10 -0000 1.19
> > +++ openssl.c 20 Nov 2015 06:06:47 -0000
> > @@ -438,7 +438,7 @@ main(int argc, char **argv)
> > arg.data = NULL;
> > arg.count = 0;
> >
> > - if (pledge("stdio inet rpath wpath cpath proc flock tty", NULL) == -1) {
> > + if (pledge("stdio inet rpath wpath cpath proc flock tty dns", NULL) ==
> > -1) {
> > fprintf(stderr, "openssl: pledge: %s\n", strerror(errno));
> > exit(1);
> > }
> > Index: s_client.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/openssl/s_client.c,v
> > retrieving revision 1.23
> > diff -u -p -u -r1.23 s_client.c
> > --- s_client.c 17 Oct 2015 15:00:11 -0000 1.23
> > +++ s_client.c 20 Nov 2015 06:06:47 -0000
> > @@ -365,7 +365,7 @@ s_client_main(int argc, char **argv)
> > long socket_mtu = 0;
> >
> > if (single_execution) {
> > - if (pledge("stdio inet rpath wpath cpath tty", NULL) == -1) {
> > + if (pledge("stdio inet rpath wpath cpath tty dns", NULL) == -1)
> > {
> > perror("pledge");
> > exit(1);
> > }
>
> --
> jca | PGP : 0x1524E7EE / 5135 92C1 AD36 5293 2BDF DDCC 0DFA 74AE 1524 E7EE
>
