From 3e90795680e3a3934d84fb0943b076aee630529b Mon Sep 17 00:00:00 2001 From: Daniel Kahn Gillmor Date: Fri, 30 Oct 2015 16:17:18 +0900 Subject: [PATCH] enable talking to servers with ECDSA certs There is no clear reason to reject servers that don't have RSA certs. We should accept ECDSA certs as well. (also, clean up comments about opportunistic TLS) --- src/context.c | 4 ++-- src/stub.c | 3 ++- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/src/context.c b/src/context.c index 95dc5b6e..79dde85b 100644 --- a/src/context.c +++ b/src/context.c @@ -2200,8 +2200,8 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context, if(context->tls_ctx == NULL) return GETDNS_RETURN_BAD_CONTEXT; /* Be strict and only use the cipher suites recommended in RFC7525 - Unless we later fallback to oppotunistic. */ - const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EDH+aRSA+AESGCM"; + Unless we later fallback to opportunistic. */ + const char* const PREFERRED_CIPHERS = "EECDH+aRSA+AESGCM:EECDH+aECDSA+AESGCM:EDH+aRSA+AESGCM"; if (!SSL_CTX_set_cipher_list(context->tls_ctx, PREFERRED_CIPHERS)) return GETDNS_RETURN_BAD_CONTEXT; if (!SSL_CTX_set_default_verify_paths(context->tls_ctx)) diff --git a/src/stub.c b/src/stub.c index 0fcaefe4..5c9b6b5a 100644 --- a/src/stub.c +++ b/src/stub.c @@ -908,7 +908,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) return NULL; } #endif - /* Allow fallback to oppotunisitc if settings permit it*/ + /* Allow fallback to opportunistic if settings permit it*/ if (dnsreq->netreqs[0]->tls_auth_min == GETDNS_AUTHENTICATION_HOSTNAME) SSL_set_verify(ssl, SSL_VERIFY_PEER, tls_verify_callback); else { @@ -923,6 +923,7 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream) upstream->tls_auth_failed = 1; return NULL; } else { + /* no hostname verification, so we will make opportunistic connections */ DEBUG_STUB("--- %s, PROCEEDING WITHOUT HOSTNAME VALIDATION!!\n", __FUNCTION__); upstream->tls_auth_failed = 1; SSL_set_verify(ssl, SSL_VERIFY_NONE, tls_verify_callback_with_fallback);