Browse Source

Merge pull request #6730 from EricLuehrsen/unbound_20180808

unbound: log openssl-1.0.2 lacks TLS host verification
lilik-openwrt-22.03
Dirk Brenken 6 years ago
committed by GitHub
parent
commit
17ab7a24aa
No known key found for this signature in database GPG Key ID: 4AEE18F83AFDEB23
8 changed files with 118 additions and 23 deletions
  1. +1
    -1
      net/unbound/Makefile
  2. +6
    -4
      net/unbound/files/README.md
  3. +1
    -1
      net/unbound/files/dnsmasq.sh
  4. +14
    -0
      net/unbound/files/iptools.sh
  5. +1
    -3
      net/unbound/files/unbound.init
  6. +45
    -12
      net/unbound/files/unbound.sh
  7. +2
    -2
      net/unbound/patches/100-example-conf-in.patch
  8. +48
    -0
      net/unbound/patches/200-openssl-log-err.patch

+ 1
- 1
net/unbound/Makefile View File

@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk
PKG_NAME:=unbound PKG_NAME:=unbound
PKG_VERSION:=1.7.3 PKG_VERSION:=1.7.3
PKG_RELEASE:=4
PKG_RELEASE:=5
PKG_LICENSE:=BSD-3-Clause PKG_LICENSE:=BSD-3-Clause
PKG_LICENSE_FILES:=LICENSE PKG_LICENSE_FILES:=LICENSE


+ 6
- 4
net/unbound/files/README.md View File

@ -166,11 +166,9 @@ config zone
``` ```
## HOW TO: TLS Over DNS ## HOW TO: TLS Over DNS
Unbound has the ability to be client and server in TLS mode. UCI can configure Unbound to be a client forwarding queries in TLS mode for selected domains. (Server is more complex to setup and needs to be done manually). This may be desired for privacy against stealth market tracking in some cases. Some public DNS servers seem to advertise help in this quest.
Unbound can use TLS as a client or server. UCI supports Unbound as a forwarding client with TLS. Servers are more complex and need manual configuration. This may be desired for privacy against stealth tracking. Some public DNS servers seem to advertise help in this quest. If your looking for a better understanding, then some information can be found at [Cloudflare](https://www.cloudflare.com/) DNS [1.1.1.1](https://1.1.1.1/). The following is a generic example. You can mix providers by using complete server specificaiton to override the zones common port and certificate domain index.
Unbound will make TLS connections without validation unless you install the 'ca-bundle' package. Do **not** however forget to maintain the certification bundle. The validation chain otherwise will expire and connections will go dead. Unbound makes and breaks TCP connections per connection. To reduce the lag from TLS handshaking it may help to use more cache memory `resource`, increase record exirations `ttl_min`, enable `aggressive` searching, or manually enable prefetch options.
The following is a generic example. If your looking for a better understanding, then some information can be found at [Cloudflare](https://www.cloudflare.com/) DNS [1.1.1.1](https://1.1.1.1/) for one place.
**NOTICE:** Unbound requires openssl-1.1.0 to verify host certificates. OpenWrt at present is configured with openssl-1.0.2. Connections will be over TLS, but theoretically, certificates may not be from a trusted source. See report [Unbound #658](https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658). When this is resolved, it will be recommended again to install `ca-bundle`, maintain it, and be sure to include the TLS certificate domain index with the host addresses.
**/etc/config/unbound**: **/etc/config/unbound**:
``` ```
@ -179,10 +177,14 @@ config zone
# question: do you want to recurse when TLS fails or not? # question: do you want to recurse when TLS fails or not?
option fallback '0' option fallback '0'
option tls_index 'dns.example.net' option tls_index 'dns.example.net'
option tls_port '853'
option tls_upstream '1' option tls_upstream '1'
option zone_type 'forward_zone' option zone_type 'forward_zone'
# these servers assume a common TLS port/index
list server '192.0.2.53' list server '192.0.2.53'
list server '2001:db8::53' list server '2001:db8::53'
# this alternate server is fully specified inline
list server '192.0.2.153@443#dns.alternate.example.org'
list zone_name '.' list zone_name '.'
``` ```


+ 1
- 1
net/unbound/files/dnsmasq.sh View File

@ -80,7 +80,7 @@ create_host_record() {
case $ip in case $ip in
fe80:*|169.254.*)
fe[89ab][0-9a-f]:*|169.254.*)
debug_ip="$ip@$host" debug_ip="$ip@$host"
;; ;;


+ 14
- 0
net/unbound/files/iptools.sh View File

@ -124,6 +124,20 @@ valid_subnet4() {
############################################################################## ##############################################################################
valid_subnet_any() {
local subnet=$1
local validip4=$( valid_subnet4 $subnet )
local validip6=$( valid_subnet6 $subnet )
if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
echo "ok"
else
echo "not"
fi
}
##############################################################################
private_subnet() { private_subnet() {
case "$1" in case "$1" in
10"."*) echo "ok" ;; 10"."*) echo "ok" ;;


+ 1
- 3
net/unbound/files/unbound.init View File

@ -64,10 +64,9 @@ service_triggers() {
if [ ! -f "$UB_TOTAL_CONF" -o -n "$UB_BOOT" ] ; then if [ ! -f "$UB_TOTAL_CONF" -o -n "$UB_BOOT" ] ; then
# Unbound is can be a bit heavy, so wait some on first start but any # Unbound is can be a bit heavy, so wait some on first start but any
# interface coming up affects the trigger and delay so guarantee start # interface coming up affects the trigger and delay so guarantee start
procd_add_raw_trigger "interface.*.up" 5000 /etc/init.d/unbound restart
procd_add_raw_trigger "interface.*.up" 3000 /etc/init.d/unbound restart
elif [ -n "$triggers" ] ; then elif [ -n "$triggers" ] ; then
PROCD_RELOAD_DELAY=2000
procd_add_reload_trigger "unbound" "dhcp" procd_add_reload_trigger "unbound" "dhcp"
@ -77,7 +76,6 @@ service_triggers() {
done done
else else
PROCD_RELOAD_DELAY=2000
procd_add_reload_trigger "unbound" "dhcp" procd_add_reload_trigger "unbound" "dhcp"
fi fi
} }


+ 45
- 12
net/unbound/files/unbound.sh View File

@ -85,9 +85,8 @@ UB_LIST_ZONE_NAMES=""
bundle_all_networks() { bundle_all_networks() {
local cfg="$1" local cfg="$1"
local ifname ifdashname
local ifname ifdashname validip
local subnet subnets subnets4 subnets6 local subnet subnets subnets4 subnets6
local validip4 validip6
network_get_subnets subnets4 "$cfg" network_get_subnets subnets4 "$cfg"
network_get_subnets6 subnets6 "$cfg" network_get_subnets6 subnets6 "$cfg"
@ -99,11 +98,10 @@ bundle_all_networks() {
if [ -n "$subnets" ] ; then if [ -n "$subnets" ] ; then
for subnet in $subnets ; do for subnet in $subnets ; do
validip4=$( valid_subnet4 $subnet )
validip6=$( valid_subnet6 $subnet )
validip=$( valid_subnet_any $subnet )
if [ "$validip4" = "ok" -o "$validip6" = "ok" ] ; then
if [ "$validip" = "ok" ] ; then
UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet" UB_LIST_NETW_ALL="$UB_LIST_NETW_ALL $ifdashname@$subnet"
fi fi
done done
@ -375,8 +373,10 @@ unbound_control() {
unbound_zone() { unbound_zone() {
local cfg=$1 local cfg=$1
local servers_ip=""
local servers_host=""
local zone_sym zone_name zone_type zone_enabled zone_file local zone_sym zone_name zone_type zone_enabled zone_file
local tls_upstream fallback proivder
local tls_upstream fallback
local server port tls_port tls_index tls_suffix url_dir local server port tls_port tls_index tls_suffix url_dir
if [ ! -f "$UB_ZONE_CONF" ] ; then if [ ! -f "$UB_ZONE_CONF" ] ; then
@ -464,17 +464,50 @@ unbound_zone() {
if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then if [ -n "$UB_LIST_ZONE_NAMES" -a -n "$UB_LIST_ZONE_SERVERS" ] ; then
for server in $UB_LIST_ZONE_SERVERS ; do
if [ "$( valid_subnet_any $server )" = "not" ] ; then
case $server in
*@[0-9]*)
# unique Unbound option for server host name
servers_host="$servers_host $server"
;;
*)
if [ "$tls_upstream" = "yes" ] ; then
servers_host="$servers_host $server${tls_port:+@${tls_port}}"
else
servers_host="$servers_host $server${port:+@${port}}"
fi
esac
else
case $server in
*[0-9]@[0-9]*)
# unique Unbound option for server address
servers_ip="$servers_ip $server"
;;
*)
if [ "$tls_upstream" = "yes" ] ; then
servers_ip="$servers_ip $server$tls_suffix"
else
servers_ip="$servers_ip $server${port:+@${port}}"
fi
esac
fi
done
for zonename in $UB_LIST_ZONE_NAMES ; do for zonename in $UB_LIST_ZONE_NAMES ; do
{ {
# generate a forward-zone with or without tls # generate a forward-zone with or without tls
echo "forward-zone:" echo "forward-zone:"
echo " name: $zonename" echo " name: $zonename"
for server in $UB_LIST_ZONE_SERVERS ; do
if [ "$tls_upstream" = "yes" ] ; then
echo " forward-addr: $server${tls_suffix}"
else
echo " forward-addr: $server${port:+@${port}}"
fi
for server in $servers_host ; do
echo " forward-host: $server"
done
for server in $servers_ip ; do
echo " forward-addr: $server"
done done
echo " forward-first: $fallback" echo " forward-first: $fallback"
echo " forward-tls-upstream: $tls_upstream" echo " forward-tls-upstream: $tls_upstream"


net/unbound/patches/001-conf.patch → net/unbound/patches/100-example-conf-in.patch View File


+ 48
- 0
net/unbound/patches/200-openssl-log-err.patch View File

@ -0,0 +1,48 @@
Index: daemon/remote.c
===================================================================
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -1950,6 +1950,11 @@
return NULL;
}
} else {
+#ifndef HAVE_SSL_SET1_HOST
+ if(auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", todo);
+#endif
/* add address */
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
auth_name)) {
Index: iterator/iter_fwd.c
===================================================================
--- a/iterator/iter_fwd.c
+++ b/iterator/iter_fwd.c
@@ -239,6 +239,11 @@
s->name, p->str);
return 0;
}
+#ifndef HAVE_SSL_SET1_HOST
+ if(tls_auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", p->str);
+#endif
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
tls_auth_name)) {
log_err("out of memory");
Index: iterator/iter_hints.c
===================================================================
--- a/iterator/iter_hints.c
+++ b/iterator/iter_hints.c
@@ -252,6 +252,11 @@
s->name, p->str);
return 0;
}
+#ifndef HAVE_SSL_SET1_HOST
+ if(auth_name)
+ log_err("no name verification functionality in "
+ "ssl library, ignored name for %s", p->str);
+#endif
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
auth_name)) {
log_err("out of memory");

Loading…
Cancel
Save