mirror of https://github.com/getdnsapi/getdns.git
tls_ciphersuites, tls_cipher_list, tls_curve_list,
tls_min_version & tls_max_version settings must cause failure when not supported by the TLS library. Not during configure time, but during connection setup so it doesn't hamper alternative transports.
This commit is contained in:
Willem Toorop
parent
6b10570842
commit
b90ba236ae
|
|
@ -3095,6 +3095,9 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
|
|||
getdns_bindata *tls_ciphersuites = NULL;
|
||||
getdns_bindata *tls_curves_list = NULL;
|
||||
uint32_t tls_version;
|
||||
/* Missing support in TLS library is
|
||||
* detected and reported during connection setup.
|
||||
*/
|
||||
|
||||
if ((r = getdns_dict_get_bindata(
|
||||
dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
|
||||
|
|
@ -3190,11 +3193,6 @@ invalid_parameter:
|
|||
error:
|
||||
_getdns_upstreams_dereference(upstreams);
|
||||
return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
|
||||
#if !defined(HAVE_DECL_SSL_SET1_CURVES_LIST) || !HAVE_DECL_SSL_SET1_CURVES_LIST
|
||||
not_implemented:
|
||||
_getdns_upstreams_dereference(upstreams);
|
||||
return GETDNS_RETURN_NOT_IMPLEMENTED;
|
||||
#endif
|
||||
} /* getdns_context_set_upstream_recursive_servers */
|
||||
|
||||
|
||||
|
|
@ -3721,8 +3719,8 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
|
|||
if(context->tls_ctx == NULL)
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
|
||||
# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
|
||||
fprintf(stderr, "SSL_CTX_set_min_proto_version(%d)\n", context->tls_min_version);
|
||||
# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \
|
||||
&& HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
|
||||
if (!SSL_CTX_set_min_proto_version(context->tls_ctx,
|
||||
_getdns_tls_version2openssl_version(context->tls_min_version))) {
|
||||
SSL_CTX_free(context->tls_ctx);
|
||||
|
|
@ -3736,6 +3734,14 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
|
|||
context->tls_ctx = NULL;
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
}
|
||||
# else
|
||||
# ifndef HAVE_TLS_CLIENT_METHOD
|
||||
if (( context->tls_min_version
|
||||
&& context->tls_min_version != GETDNS_TLS1_2)
|
||||
|| context->tls_max_version) {
|
||||
return GETDNS_RETURN_NOT_IMPLEMENTED;
|
||||
}
|
||||
# endif
|
||||
# endif
|
||||
/* Be strict and only use the cipher suites recommended in RFC7525
|
||||
Unless we later fallback to opportunistic. */
|
||||
|
|
@ -3748,11 +3754,17 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
|
|||
context->tls_ciphersuites ? context->tls_ciphersuites
|
||||
: _getdns_default_tls_ciphersuites))
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
# else
|
||||
if (context->tls_ciphersuites)
|
||||
return GETDNS_RETURN_NOT_IMPLEMENTED;
|
||||
# endif
|
||||
# if defined(HAVE_DECL_SSL_CTX_SET1_CURVES_LIST) && HAVE_DECL_SSL_CTX_SET1_CURVES_LIST
|
||||
if (context->tls_curves_list &&
|
||||
!SSL_CTX_set1_curves_list(context->tls_ctx, context->tls_curves_list))
|
||||
return GETDNS_RETURN_BAD_CONTEXT;
|
||||
# else
|
||||
if (context->tls_curves_list)
|
||||
return GETDNS_RETURN_NOT_IMPLEMENTED;
|
||||
# endif
|
||||
/* For strict authentication, we must have local root certs available
|
||||
Set up is done only when the tls_ctx is created (per getdns_context)*/
|
||||
|
|
|
|||
36
src/stub.c
36
src/stub.c
|
|
@ -937,6 +937,16 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
|||
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
|
||||
GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list "
|
||||
"\"%s\"\n", upstream->addr_str, upstream->tls_curves_list);
|
||||
SSL_free(ssl);
|
||||
return NULL;
|
||||
}
|
||||
#else
|
||||
if (upstream->tls_curves_list) {
|
||||
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
|
||||
GETDNS_LOG_ERR, "%-40s : tls_curves_list not supported "
|
||||
"in tls library\n", upstream->addr_str);
|
||||
SSL_free(ssl);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
#ifdef HAVE_SSL_SET_CIPHERSUITES
|
||||
|
|
@ -946,8 +956,17 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
|||
GETDNS_LOG_ERR, "%-40s : Error configuring tls_ciphersuites "
|
||||
"\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
|
||||
}
|
||||
#else
|
||||
if (upstream->tls_ciphersuites) {
|
||||
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
|
||||
GETDNS_LOG_ERR, "%-40s : tls_ciphersuites not "
|
||||
"supported in tls library\n", upstream->addr_str);
|
||||
SSL_free(ssl);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
#if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
|
||||
#if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) \
|
||||
&& HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
|
||||
if (upstream->tls_min_version && !SSL_set_min_proto_version(ssl,
|
||||
_getdns_tls_version2openssl_version(upstream->tls_min_version))) {
|
||||
struct const_info *ci =
|
||||
|
|
@ -978,6 +997,21 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
|
|||
"tls_max_version \"%d\"\n", upstream->addr_str,
|
||||
upstream->tls_max_version);
|
||||
}
|
||||
#else
|
||||
if (upstream->tls_min_version) {
|
||||
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
|
||||
GETDNS_LOG_ERR, "%-40s : tls_min_version not "
|
||||
"supported in tls library\n", upstream->addr_str);
|
||||
SSL_free(ssl);
|
||||
return NULL;
|
||||
}
|
||||
if (upstream->tls_max_version) {
|
||||
_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
|
||||
GETDNS_LOG_ERR, "%-40s : tls_max_version not "
|
||||
"supported in tls library\n", upstream->addr_str);
|
||||
SSL_free(ssl);
|
||||
return NULL;
|
||||
}
|
||||
#endif
|
||||
/* make sure we'll be able to find the context again when we need it */
|
||||
if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue