enable talking to servers with ECDSA certs

There is no clear reason to reject servers that don't have RSA certs. We should accept ECDSA certs as well. (also, clean up comments about opportunistic TLS)
2015-10-30 16:17:18 +09:00 · 2015-10-30 16:17:18 +09:00 · 3e90795680
parent 8b9041325b
commit 3e90795680
2 changed files with 4 additions and 3 deletions
--- a/src/context.c
+++ b/src/context.c
@ -2200,8 +2200,8 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
 			if(context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
 			/* Be strict and only use the cipher suites recommended in RFC7525
-			   Unless we later fallback to oppotunistic. */
-			const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EDH+aRSA+AESGCM";
+			   Unless we later fallback to opportunistic. */
+			const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM";
 			if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS))
 				return GETDNS_RETURN_BAD_CONTEXT;
 			if (!SSL_CTX_set_default_verify_paths(context->tls_ctx))
--- a/src/stub.c
+++ b/src/stub.c
@ -908,7 +908,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			return NULL;
 		}
 #endif
-		/* Allow fallback to oppotunisitc if settings permit it*/
+		/* Allow fallback to opportunistic if settings permit it*/
 		if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME)
 			SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback);
 		else {
@ -923,6 +923,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 			upstream->tls_auth_failed = 1;
 			return NULL;
 		} else {
+                  /* no hostname verification, so we will make opportunistic connections */
 			DEBUG_STUB("--- %s, PROCEEDING WITHOUT HOSTNAME VALIDATION!!\n", __FUNCTION__);
 			upstream->tls_auth_failed = 1;
 			SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_callback_with_fallback);