Merge branch 'my-develop' into develop

Update Stubby and add small GnuTLS version fixup to signature selection.

src/gnutls/tls.c

@@ -102,7 +102,18 @@ static int set_connection_ciphers(_getdns_tls_connection* conn)
 	char* pri = NULL;
 	int res;
 
-	pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-ALL");
+	pri = getdns_priappend(conn->mfs, pri, "NONE:+COMP-ALL:+SIGN-ALL"
+	    /* Remove all the weak ones */
+	    ":-SIGN-RSA-MD5"
+	    ":-SIGN-RSA-SHA1:-SIGN-RSA-SHA224:-SIGN-RSA-SHA256"
+	    ":-SIGN-DSA-SHA1:-SIGN-DSA-SHA224:-SIGN-DSA-SHA256"
+#if GNUTLS_VERSION_NUMBER >= 0x030505
+	    ":-SIGN-ECDSA-SHA1:-SIGN-ECDSA-SHA224:-SIGN-ECDSA-SHA256"
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030601
+	    ":-SIGN-RSA-PSS-SHA256"
+#endif
+	);
 
 	if (conn->cipher_suites)
 		pri = getdns_priappend(conn->mfs, pri, conn->cipher_suites);
@@ -138,18 +149,16 @@ static int set_connection_ciphers(_getdns_tls_connection* conn)
 		for (gnutls_protocol_t i = min; i <= max; ++i)
 			pri = getdns_priappend(conn->mfs, pri, _getdns_tls_priorities[i]);
 	}
-
 	if (pri) {
 		res = gnutls_priority_set_direct(conn->tls, pri, NULL);
-		if (res != GNUTLS_E_SUCCESS) {
+		_getdns_log(conn->log
-			_getdns_log(conn->log
+			    , GETDNS_LOG_UPSTREAM_STATS
-				    , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR
+			    , (res == GNUTLS_E_SUCCESS ? GETDNS_LOG_DEBUG : GETDNS_LOG_ERR)
-				    , "%s: %s %s (%s)\n"
+			    , "%s: %s %s (%s)\n"
-				    , STUB_DEBUG_SETUP_TLS
+			    , STUB_DEBUG_SETUP_TLS
-				    , "Error configuring TLS connection with "
+			    , "Configuring TLS connection with "
-				    , pri
+			    , pri
-				    , gnutls_strerror(res));
+			    , gnutls_strerror(res));
-		}
 	}
 	else
 		res = gnutls_set_default_priority(conn->tls);
@@ -170,9 +179,15 @@ static getdns_return_t error_may_want_read_write(_getdns_tls_connection* conn, i
 		else
 			return GETDNS_RETURN_TLS_WANT_WRITE;
 	case GNUTLS_E_FATAL_ALERT_RECEIVED:
-		DEBUG_STUB("GNUTLS fatal alert: \"%s\"\n",
+		_getdns_log( conn->log
-		    gnutls_alert_get_name(gnutls_alert_get(conn->tls)));
+		           , GETDNS_LOG_UPSTREAM_STATS, GETDNS_LOG_ERR
-
+		           , "%s %s %d (%s)\n"
+		           , STUB_DEBUG_SETUP_TLS
+		           , "Error in TLS handshake"
+		           , (int)gnutls_alert_get(conn->tls)
+			   , gnutls_alert_get_name(gnutls_alert_get(conn->tls))
+			   );
+		/* fallthrough */
 	default:
 		return GETDNS_RETURN_GENERIC_ERROR;
 	}
@@ -326,6 +341,11 @@ getdns_return_t _getdns_tls_context_set_ca(_getdns_tls_context* ctx, const char*
 	return GETDNS_RETURN_GOOD;
 }
 
+void _getdns_gnutls_stub_log(int level, const char *msg)
+{
+	DEBUG_STUB("GnuTLS log (%.2d): %s", level, msg);
+}
+
 _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdns_tls_context* ctx, int fd, const getdns_log_config* log)
 {
 	_getdns_tls_connection* res;
@@ -360,6 +380,8 @@ _getdns_tls_connection* _getdns_tls_connection_new(struct mem_funcs* mfs, _getdn
 			gnutls_certificate_set_x509_trust_dir(res->cred, ctx->ca_trust_path, GNUTLS_X509_FMT_PEM);
 	}
 
+	gnutls_global_set_log_level(99);
+	gnutls_global_set_log_function(_getdns_gnutls_stub_log);
 	if (gnutls_init(&res->tls, GNUTLS_CLIENT | GNUTLS_NONBLOCK) != GNUTLS_E_SUCCESS)
 		goto failed;
 	if (set_connection_ciphers(res) != GNUTLS_E_SUCCESS) {

stubby

@@ -1 +1 @@
-Subproject commit 709374879bca5d77548df68fd91c51174a862229
+Subproject commit 242979cde99aa7ab19ce9fc228fc041cb6c1a6ed