cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 07:28:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

unbound: log openssl-1.0.2 lacks TLS host verification

Browse Source 
ssl_set1_host() is not available without openssl-1.1.0. Unbound can not do
host cert verification. DNS over TLS connects, but hosts are unverified. A
patch for log err is added with a noitce in README.md.
(see: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658)

Also, squash some minor robustness and TLS usability fixes.

Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
This commit is contained in:
Eric Luehrsen
2018-08-08 21:21:17 -04:00
parent ba5e9aa945
commit 1cccacf359
8 changed files with 118 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/unbound/patches/001-conf.patch → net/unbound/patches/100-example-conf-in.patch
+2 -2
View File
@@ -1,5 +1,5 @@
diff --git a/doc/example.conf.in b/doc/example.conf.in
index be83bda..7317b23 100644
Index: doc/example.conf.in
===================================================================
--- a/doc/example.conf.in
+++ b/doc/example.conf.in
@@ -15,6 +15,76 @@ server:
net/unbound/patches/200-openssl-log-err.patch
+48
View File
@@ -0,0 +1,48 @@
Index: daemon/remote.c
===================================================================
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1950,6 +1950,11 @@
return NULL;
}
} else {
+#ifndef HAVE_SSL_SET1_HOST
+ if(auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", todo);
+#endif
/* add address */
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
auth_name)) {
Index: iterator/iter_fwd.c
===================================================================
--- a/iterator/iter_fwd.c
+++ b/iterator/iter_fwd.c
@@ -239,6 +239,11 @@
s->name, p->str);
return 0;
}
+#ifndef HAVE_SSL_SET1_HOST
+ if(tls_auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", p->str);
+#endif
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
tls_auth_name)) {
log_err("out of memory");
Index: iterator/iter_hints.c
===================================================================
--- a/iterator/iter_hints.c
+++ b/iterator/iter_hints.c
@@ -252,6 +252,11 @@
s->name, p->str);
return 0;
}
+#ifndef HAVE_SSL_SET1_HOST
+ if(auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", p->str);
+#endif
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
auth_name)) {
log_err("out of memory");