From 45de1f65b3bf16564dc720ca73001e2e43298b73 Mon Sep 17 00:00:00 2001 From: Sara Dickinson Date: Fri, 14 Aug 2015 17:55:43 +0100 Subject: [PATCH] Update docs with details of OS X certificate handling. --- INSTALL | 6 ++++++ README.md | 8 +++++--- src/context.c | 29 ++++++++++++++++++++++++----- src/stub.c | 3 ++- 4 files changed, 37 insertions(+), 9 deletions(-) diff --git a/INSTALL b/INSTALL index 2d4f855f..ca68375d 100644 --- a/INSTALL +++ b/INSTALL @@ -254,6 +254,12 @@ not `/usr/local'. It is recommended to use the following options: ./configure --prefix=/boot/common + On Mac OSX getdns will not build against the version of OpenSSL shipped with +OSX. If you link against a self-complied version of OpenSSL then manual +configuration of certificates is required for TLS authentication to work, +however if linking against the version of OpenSSL installed via Homebrew TLS +authentication will work out of the box. + Specifying the System Type ========================== diff --git a/README.md b/README.md index f7d13ab5..ecae05fd 100644 --- a/README.md +++ b/README.md @@ -89,6 +89,7 @@ External dependencies are linked outside the getdns API build tree (we rely on c * [libunbound from NLnet Labs](http://www.nlnetlabs.nl/projects/unbound/) version 1.4.16 or later * [libexpat](http://expat.sourceforge.net/) for libunbound. * [libidn from the FSF](http://www.gnu.org/software/libidn/) version 1. +* [libopenssl from the OpenSSL Project](https://www.openssl.org/) version 0.9.7 or later. (Note: version 1.0.2 or later is required for TLS support) * Doxygen is used to generate documentation, while this is not technically necessary for the build it makes things a lot more pleasant. You have to install the library and also the library-devel (or -dev) for your @@ -149,8 +150,6 @@ There are a few known issues which we have summarized below - the most recent and helpful list is being maintained in the git issues list in the repository. Other known issues are being managed in the git repository issue list. -* (#113) Changing the resolution type between stub and recursive after a query has been issued with a context will not work - the previous resolution type will continue to be used. If you want to change the resolution type you will need to create a new context and set the resolution type for that context. - * When doing a synchronous lookup with a context that has outstanding asynchronous lookups, the callbacks for the asynchronous lookups might get called as a side effect of the synchronous lookup. @@ -214,6 +213,9 @@ build the packages, this is simplythe one we chose to use. create dmg + A self-compiled version of OpenSSL or the version installed via Homebrew is required. + Note: If using a self-compiled version manual configuration of certificates is required for TLS authentication to wokr + #### Homebrew If you're using [Homebrew](http://brew.sh/), you may run `brew install getdns`. By default, this will only build the core library without any 3rd party event loop support. @@ -222,7 +224,7 @@ To install the [event loop integration libraries](https://github.com/getdnsapi/g Note that in order to compile the examples, the `--with-libevent` switch is required. -As of the 0.2.0 release, when installing via Homebrew, the trust anchor is expected to be located at `$(brew --prefix)/etc/getdns-root.key`. Additionally, the openssl lib installed by Homebrew is linked against. +As of the 0.2.0 release, when installing via Homebrew, the trust anchor is expected to be located at `$(brew --prefix)/etc/getdns-root.key`. Additionally, the OpenSSL library installed by Homebrew is linked against. Note that the Homebrew OpenSSL installation clones the Keychain certificates to the default OpenSSL location so TLS authentication should work out of the box. Contributors ============ diff --git a/src/context.c b/src/context.c index c153d36b..ae59b018 100644 --- a/src/context.c +++ b/src/context.c @@ -578,6 +578,27 @@ priv_getdns_upstream_shutdown(getdns_upstream *upstream) close(fd); } +static int +tls_is_in_transports_list(getdns_context *context) { + for (int i=0; i< context->dns_transport_count;i++) { + if (context->dns_transports[i] == GETDNS_TRANSPORT_TLS || + context->dns_transports[i] == GETDNS_TRANSPORT_STARTTLS) + return 1; + } + return 0; +} + +static int +tls_only_is_in_transports_list(getdns_context *context) { + if (context->dns_transport_count != 1) + return 0; + if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS || + context->dns_transports[0] == GETDNS_TRANSPORT_STARTTLS) + return 1; + return 0; +} + + static int net_req_query_id_cmp(const void *id1, const void *id2) { @@ -2140,8 +2161,8 @@ getdns_context_prepare_for_resolution(struct getdns_context *context, /* Transport can in theory be set per query in stub mode */ if (context->resolution_type == GETDNS_RESOLUTION_STUB) { - /*TODO[TLS]: Check if TLS is in the list of transports.*/ - if (context->tls_ctx == NULL) { + if (tls_is_in_transports_list(context) == 1 && + context->tls_ctx == NULL) { #ifdef HAVE_LIBTLS1_2 /* Create client context, use TLS v1.2 only for now */ context->tls_ctx = SSL_CTX_new(TLSv1_2_client_method()); @@ -2157,9 +2178,7 @@ getdns_context_prepare_for_resolution(struct getdns_context *context, /* Note: If TLS is used in recursive mode this will try TLS on port * 53 so it is blocked here. So is 'STARTTLS only' at the moment. */ if (context->resolution_type == GETDNS_RESOLUTION_RECURSING && - context->dns_transport_count == 1 && - (context->dns_transports[0] == GETDNS_TRANSPORT_TLS || - context->dns_transports[0] == GETDNS_TRANSPORT_STARTTLS)) + tls_only_is_in_transports_list(context) == 1) return GETDNS_RETURN_BAD_CONTEXT; if (context->resolution_type_set == context->resolution_type) diff --git a/src/stub.c b/src/stub.c index d675179b..291b9bed 100644 --- a/src/stub.c +++ b/src/stub.c @@ -826,7 +826,7 @@ static SSL* tls_create_object(getdns_context *context, int fd, const char* auth_name) { /* Create SSL instance */ - if (context->tls_ctx == NULL) + if (context->tls_ctx == NULL || auth_name == NULL) return NULL; SSL* ssl = SSL_new(context->tls_ctx); X509_VERIFY_PARAM *param; @@ -896,6 +896,7 @@ tls_do_handshake(getdns_upstream *upstream) upstream->tls_hs_state = GETDNS_HS_WRITE; return STUB_TCP_AGAIN; default: + DEBUG_STUB("--- %s %s %d\n", __FUNCTION__, "Handshake failed: ", want); return tls_cleanup(upstream); } }