From 14ffa00c0639b07455ffebdd5d7aa07345572eb7 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Tue, 3 Aug 2021 09:50:07 -0600 Subject: [PATCH] The tls_verify setting only affects server behavior, not the client. Originally, there was a flag in the ServerHello message to indicate that the client should verify the server cert, but this was removed TLS was moved to a separate port. Client validation of the server certificate is now configured in the sudoers file instead. --- doc/sudo_logsrvd.conf.man.in | 16 ++++++++-------- doc/sudo_logsrvd.conf.mdoc.in | 16 ++++++++-------- examples/sudo_logsrvd.conf | 4 ++-- 3 files changed, 18 insertions(+), 18 deletions(-) diff --git a/doc/sudo_logsrvd.conf.man.in b/doc/sudo_logsrvd.conf.man.in index 807864514..319c3b5f8 100644 --- a/doc/sudo_logsrvd.conf.man.in +++ b/doc/sudo_logsrvd.conf.man.in @@ -16,7 +16,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "July 9, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual" +.TH "SUDO_LOGSRVD.CONF" "@mansectform@" "August 3, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual" .nh .if n .ad l .SH "NAME" @@ -267,11 +267,11 @@ The default value is \fI/etc/ssl/sudo/private/logsrvd_key.pem\fR. .TP 10n tls_verify = bool -If true, the server certificate will be verified at startup and -clients will authenticate the server by verifying its certificate -and identity. -If false, no verification is performed of the server certificate -by the server or the client. +If true, +\fBsudo_logsrvd.conf\fR +will validate its own certificate at startup time or when the +configuration is changed. +If false, no verification is performed of the server certificate. When using self-signed certificates without a certificate authority, this setting should be set to false. The default value is true. @@ -802,8 +802,8 @@ Sudo log server configuration file # respond. A value of 0 will disable the timeout. The default value is 30. #timeout = 30 -# If true, the server certificate will be verified at startup and clients -# will authenticate the server by verifying its certificate and identity. +# If true, the server will validate its own certificate at startup. +# Defaults to true. #tls_verify = true # If true, client certificates will be validated by the server; diff --git a/doc/sudo_logsrvd.conf.mdoc.in b/doc/sudo_logsrvd.conf.mdoc.in index 7deab6ec8..1b85c7052 100644 --- a/doc/sudo_logsrvd.conf.mdoc.in +++ b/doc/sudo_logsrvd.conf.mdoc.in @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd July 9, 2021 +.Dd August 3, 2021 .Dt SUDO_LOGSRVD.CONF @mansectform@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -228,11 +228,11 @@ The path to the server's private key file, in PEM format. The default value is .Pa /etc/ssl/sudo/private/logsrvd_key.pem . .It tls_verify = bool -If true, the server certificate will be verified at startup and -clients will authenticate the server by verifying its certificate -and identity. -If false, no verification is performed of the server certificate -by the server or the client. +If true, +.Nm +will validate its own certificate at startup time or when the +configuration is changed. +If false, no verification is performed of the server certificate. When using self-signed certificates without a certificate authority, this setting should be set to false. The default value is true. @@ -730,8 +730,8 @@ Sudo log server configuration file # respond. A value of 0 will disable the timeout. The default value is 30. #timeout = 30 -# If true, the server certificate will be verified at startup and clients -# will authenticate the server by verifying its certificate and identity. +# If true, the server will validate its own certificate at startup. +# Defaults to true. #tls_verify = true # If true, client certificates will be validated by the server; diff --git a/examples/sudo_logsrvd.conf b/examples/sudo_logsrvd.conf index 675f1f17c..4aa1e568b 100644 --- a/examples/sudo_logsrvd.conf +++ b/examples/sudo_logsrvd.conf @@ -35,8 +35,8 @@ # respond. A value of 0 will disable the timeout. The default value is 30. #timeout = 30 -# If true, the server certificate will be verified at startup and clients -# will authenticate the server by verifying its certificate and identity. +# If true, the server will validate its own certificate at startup. +# Defaults to true. #tls_verify = true # If true, client certificates will be validated by the server;