From 5721c501c3073ff5410b6c99abcf9ae39a1ca0d0 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Mon, 2 Mar 2020 13:41:12 +0000 Subject: [PATCH 1/6] Point stubby at my repo. --- .gitmodules | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.gitmodules b/.gitmodules index 28d6a265..0e80aed9 100644 --- a/.gitmodules +++ b/.gitmodules @@ -8,7 +8,7 @@ branch = master [submodule "stubby"] path = stubby - url = https://github.com/getdnsapi/stubby.git + url = https://github.com/banburybill/stubby.git branch = develop [submodule "src/ssl_dane"] path = src/ssl_dane From 3073d3356012375da079a804f1628c7b1293de4f Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Mon, 2 Mar 2020 18:13:47 +0000 Subject: [PATCH 2/6] Update stubby. --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index 70937487..2fec82b1 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 709374879bca5d77548df68fd91c51174a862229 +Subproject commit 2fec82b1669bb35062ff9029c4b42fb4998fbd44 From 252d68e67a25399f465ad599ca2c3ef0643658a9 Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Wed, 4 Mar 2020 16:06:14 +0000 Subject: [PATCH 3/6] Update stubby. --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index 2fec82b1..c4841747 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit 2fec82b1669bb35062ff9029c4b42fb4998fbd44 +Subproject commit c4841747a8042dfe2ea43c3c58d07a87e5a5a0ed From c234865a80d0a3f620c5c3d8016e33aabfc96a33 Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 5 Mar 2020 13:39:30 +0100 Subject: [PATCH 4/6] Print GnuTLS debug messages --- src/gnutls/tls.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 88153d73..96557386 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -166,9 +166,15 @@ static getdns_return_t error_may_want_read_write(_getdns_tls_connection* conn, i else return GETDNS_RETURN_TLS_WANT_WRITE; case GNUTLS_E_FATAL_ALERT_RECEIVED: - DEBUG_STUB("GNUTLS fatal alert: \"%s\"\n", - gnutls_alert_get_name(gnutls_alert_get(conn->tls))); - + _getdns_log( conn->log + , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR + , "%s %s %d (%s)\n" + , STUB_DEBUG_SETUP_TLS + , "Error in TLS handshake" + , (int)gnutls_alert_get(conn->tls) + , gnutls_alert_get_name(gnutls_alert_get(conn->tls)) + ); + /* fallthrough */ default: return GETDNS_RETURN_GENERIC_ERROR; } @@ -322,6 +328,11 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char* return GETDNS_RETURN_GOOD; } +void _getdns_gnutls_stub_log(int level, const char *msg) +{ + DEBUG_STUB("GnuTLS log (%.2d): %s", level, msg); +} + _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd, const getdns_log_config* log) { _getdns_tls_connection* res; @@ -356,6 +367,8 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn gnutls_certificate_set_x509_trust_dir(res->cred, ctx->ca_trust_path, GNUTLS_X509_FMT_PEM); } + gnutls_global_set_log_level(99); + gnutls_global_set_log_function(_getdns_gnutls_stub_log); if (gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK) != GNUTLS_E_SUCCESS) goto failed; if (set_connection_ciphers(res) != GNUTLS_E_SUCCESS) { From 26a95b5b8a213096641654c5b97976e66ec32e5d Mon Sep 17 00:00:00 2001 From: Willem Toorop Date: Thu, 5 Mar 2020 14:46:32 +0100 Subject: [PATCH 5/6] Fix DoT with GnuTLS >= 3.6 --- src/gnutls/tls.c | 28 +++++++++++++++++----------- 1 file changed, 17 insertions(+), 11 deletions(-) diff --git a/src/gnutls/tls.c b/src/gnutls/tls.c index 96557386..fad42732 100644 --- a/src/gnutls/tls.c +++ b/src/gnutls/tls.c @@ -102,7 +102,15 @@ static int set_connection_ciphers(_getdns_tls_connection* conn) char* pri = NULL; int res; - pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-RSA-SHA384"); + //pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-ALL"); + pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-ALL" + /* Remove all the weak ones */ + ":-SIGN-RSA-MD5" + ":-SIGN-RSA-SHA1:-SIGN-RSA-SHA224:-SIGN-RSA-SHA256" + ":-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256" + ":-SIGN-ECDSA-SHA1:-SIGN-ECDSA-SHA224:-SIGN-ECDSA-SHA256" + ":-SIGN-RSA-PSS-SHA256" + ); if (conn->cipher_suites) pri = getdns_priappend(conn->mfs, pri, conn->cipher_suites); @@ -134,18 +142,16 @@ static int set_connection_ciphers(_getdns_tls_connection* conn) for (gnutls_protocol_t i = min; i <= max; ++i) pri = getdns_priappend(conn->mfs, pri, _getdns_tls_priorities[i]); } - if (pri) { res = gnutls_priority_set_direct(conn->tls, pri, NULL); - if (res != GNUTLS_E_SUCCESS) { - _getdns_log(conn->log - , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR - , "%s: %s %s (%s)\n" - , STUB_DEBUG_SETUP_TLS - , "Error configuring TLS connection with " - , pri - , gnutls_strerror(res)); - } + _getdns_log(conn->log + , GETDNS_LOG_UPSTREAM_STATS + , (res == GNUTLS_E_SUCCESS ? GETDNS_LOG_DEBUG : GETDNS_LOG_ERR) + , "%s: %s %s (%s)\n" + , STUB_DEBUG_SETUP_TLS + , "Configuring TLS connection with " + , pri + , gnutls_strerror(res)); } else res = gnutls_set_default_priority(conn->tls); From be09306567a22f55a3a6b73873b2c0cb114aec0e Mon Sep 17 00:00:00 2001 From: Jim Hague Date: Thu, 12 Mar 2020 16:13:11 +0000 Subject: [PATCH 6/6] Update Stubby to pick up latest Stubby release tag and Windows packaging details. --- stubby | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/stubby b/stubby index c4841747..242979cd 160000 --- a/stubby +++ b/stubby @@ -1 +1 @@ -Subproject commit c4841747a8042dfe2ea43c3c58d07a87e5a5a0ed +Subproject commit 242979cde99aa7ab19ce9fc228fc041cb6c1a6ed