logsrvd_conf_apply: allow TLS relay without a certificate

millert · millert · commit 00e668697ea8 · 2025-11-28T08:39:31.000-07:00
If sudo_logsrvd is not configured to use TLS, it should still
be possile to use TLS for the relay connection as log as the
server we are relaying to does not require a client certificate.
Also fixes TLS relay when using the server section TLS settings.
diff --git a/logsrvd/logsrvd_conf.c b/logsrvd/logsrvd_conf.c
@@ -1794,16 +1794,6 @@ logsrvd_conf_apply(struct logsrvd_config *config)
 	if (!addr->tls)
 	    continue;
 
-	/* Relay requires TLS so it must be configured (in relay or server). */
-	if (!TLS_CONFIGURED(config->relay)) {
-	    if (config->server.ssl_ctx != NULL) {
-		/* We will use the server TLS settings. */
-		break;
-	    }
-	    sudo_warnx("%s", U_("relay uses TLS but TLS not configured"));
-	    debug_return_bool(false);
-	}
-
 	/* Create a TLS context for the relay. */
 	config->relay.ssl_ctx = init_tls_context(
 	    TLS_RELAY_STR(config, tls_cacert_path),
