Merge pull request #128 from saradickinson/feature/STARTTLS_removal2

Feature/starttls removal2 Excellent! Thanks!
2015-12-21 16:38:10 +01:00 · 2015-12-21 16:38:10 +01:00 · eb6c6e3f67
parent 95e9fa1f35 91a73ab3d0
commit eb6c6e3f67
12 changed files with 32 additions and 230 deletions
--- a/1
+++ b/1
@ -1,4 +1,5 @@
 *
+  * Remove STARTTLS implementation (no change to SPEC)
  * Enable TCP Fast Open when possible. Add OSX support for TFO.
  * Rename return_call_debugging to return_call_reporting

--- a/src/const-info.c
+++ b/src/const-info.c
@ -43,7 +43,6 @@ static struct const_info consts_info[] = {
 	{  543, "GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN", GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN_TEXT },
 	{  544, "GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN", GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN_TEXT },
 	{  545, "GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN", GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN_TEXT },
-	{  546, "GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN", GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN_TEXT },
 	{  550, "GETDNS_APPEND_NAME_ALWAYS", GETDNS_APPEND_NAME_ALWAYS_TEXT },
 	{  551, "GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE", GETDNS_APPEND_NAME_ONLY_TO_SINGLE_LABEL_AFTER_FAILURE_TEXT },
 	{  552, "GETDNS_APPEND_NAME_ONLY_TO_MULTIPLE_LABEL_NAME_AFTER_FAILURE", GETDNS_APPEND_NAME_ONLY_TO_MULTIPLE_LABEL_NAME_AFTER_FAILURE_TEXT },
@ -88,7 +87,6 @@ static struct const_info consts_info[] = {
 	{ 1200, "GETDNS_TRANSPORT_UDP", GETDNS_TRANSPORT_UDP_TEXT },
 	{ 1201, "GETDNS_TRANSPORT_TCP", GETDNS_TRANSPORT_TCP_TEXT },
 	{ 1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT },
-	{ 1203, "GETDNS_TRANSPORT_STARTTLS", GETDNS_TRANSPORT_STARTTLS_TEXT },
 	{ 1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT },
 	{ 1301, "GETDNS_AUTHENTICATION_HOSTNAME", GETDNS_AUTHENTICATION_HOSTNAME_TEXT },
 };
--- a/src/context.c
+++ b/src/context.c
@ -71,23 +71,23 @@ typedef struct host_name_addrs {
 	uint8_t host_name[];
 } host_name_addrs;

+
+/*  If changing these lists also remember to 
+    change the value of GETDNS_UPSTREAM_TRANSPORTS */
 static getdns_transport_list_t 
 getdns_upstream_transports[GETDNS_UPSTREAM_TRANSPORTS] = {
-	GETDNS_TRANSPORT_STARTTLS, // Define before TCP to ease fallback
 	GETDNS_TRANSPORT_TCP,
 	GETDNS_TRANSPORT_TLS,
 };

 static in_port_t 
 getdns_port_array[GETDNS_UPSTREAM_TRANSPORTS] = {
-	GETDNS_PORT_DNS,
 	GETDNS_PORT_DNS,
 	GETDNS_PORT_DNS_OVER_TLS
 };

 char*
 getdns_port_str_array[] = {
-	GETDNS_STR_PORT_DNS,
 	GETDNS_STR_PORT_DNS,
 	GETDNS_STR_PORT_DNS_OVER_TLS
 };
@ -575,8 +575,7 @@ _getdns_upstream_shutdown(getdns_upstream *upstream)
 static int
 tls_is_in_transports_list(getdns_context *context) {
 	for (int i=0; i< context->dns_transport_count;i++) {
-		if (context->dns_transports[i] == GETDNS_TRANSPORT_TLS ||
-		    context->dns_transports[i] == GETDNS_TRANSPORT_STARTTLS)
+		if (context->dns_transports[i] == GETDNS_TRANSPORT_TLS)
 			return 1;
 	}
 	return 0;
@ -586,8 +585,7 @@ static int
 tls_only_is_in_transports_list(getdns_context *context) {
 	if (context->dns_transport_count != 1)
 		return 0;
-	if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS ||
-		context->dns_transports[0] == GETDNS_TRANSPORT_STARTTLS)
+	if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS)
 			return 1;
 	return 0;
 }
@ -617,7 +615,6 @@ upstream_init(getdns_upstream *upstream,
 	/* For sharing a socket to this upstream with TCP  */
 	upstream->fd       = -1;
 	upstream->tls_obj  = NULL;
-	upstream->starttls_req = NULL;
 	upstream->transport = GETDNS_TRANSPORT_TCP;
 	upstream->tls_hs_state = GETDNS_HS_NONE;
 	upstream->tls_auth_failed = 0;
@ -1250,18 +1247,17 @@ getdns_set_base_dns_transports(
 		return GETDNS_RETURN_INVALID_PARAMETER;

 	/* Check for valid transports and that they are used only once*/
-	int u=0,t=0,l=0,s=0;
+	int u=0,t=0,l=0;
 	for(i=0; i<transport_count; i++)
 	{
 		switch (transports[i]) {
 			case GETDNS_TRANSPORT_UDP:       u++; break;
 			case GETDNS_TRANSPORT_TCP:       t++; break;
 			case GETDNS_TRANSPORT_TLS:       l++; break;
-			case GETDNS_TRANSPORT_STARTTLS:  s++; break;
 			default: return GETDNS_RETURN_INVALID_PARAMETER;
 		}
 	}
-	if ( u>1 || t>1 || l>1 || s>1)
+	if ( u>1 || t>1 || l>1)
 		return GETDNS_RETURN_INVALID_PARAMETER;
 	
 	if (!(new_transports = GETDNS_XMALLOC(context->my_mf,
@ -1298,7 +1294,6 @@ set_ub_dns_transport(struct getdns_context* context) {
            set_ub_string_opt(context, "do-tcp:", "yes");
            break;
        case GETDNS_TRANSPORT_TLS:
-        case GETDNS_TRANSPORT_STARTTLS:
            set_ub_string_opt(context, "do-udp:", "no");
            set_ub_string_opt(context, "do-tcp:", "yes");
            /* Find out if there is a fallback available. */
@ -1315,16 +1310,10 @@ set_ub_dns_transport(struct getdns_context* context) {
                    break;
                }
            }
-            if (context->dns_transports[0] == GETDNS_TRANSPORT_TLS) {
            if (fallback == 0) 
                /* Use TLS if it is the only thing.*/
                set_ub_string_opt(context, "ssl-upstream:", "yes");
            break;
-            } else if (fallback == 0)
-                /* Can't support STARTTLS with no fallback. This leads to
-                 * timeouts with un stub validation.... */
-                set_ub_string_opt(context, "do-tcp:", "no");
-            break;
       default:
           return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
        }
@ -1380,10 +1369,6 @@ getdns_context_set_dns_transport(
 	        context->dns_transports[0] = GETDNS_TRANSPORT_TLS;
 	        context->dns_transports[1] = GETDNS_TRANSPORT_TCP;
 	       break;
-	    case GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN:
-	        context->dns_transports[0] = GETDNS_TRANSPORT_STARTTLS;
-	        context->dns_transports[1] = GETDNS_TRANSPORT_TCP;
-	       break;
 	   default:
 	       return GETDNS_RETURN_CONTEXT_UPDATE_FAIL;
 	}
@ -1787,8 +1772,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 			upstream->addr.ss_family = addr.ss_family;
 			upstream_init(upstream, upstreams, ai);
 			upstream->transport = getdns_upstream_transports[j];
-			if (getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS ||
-			    getdns_upstream_transports[j] == GETDNS_TRANSPORT_STARTTLS) {
+			if (getdns_upstream_transports[j] == GETDNS_TRANSPORT_TLS) {
 				if ((r = getdns_dict_get_bindata(
 					dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
 					/*TODO: VALIDATE THIS STRING!*/
@ -2276,9 +2260,9 @@ _getdns_context_prepare_for_resolution(struct getdns_context *context,
 		}
 	}

-	/* Block use of STARTTLS/TLS ONLY in recursive mode as it won't work */
+	/* Block use of TLS ONLY in recursive mode as it won't work */
    /* Note: If TLS is used in recursive mode this will try TLS on port
-     * 53 so it is blocked here.  So is 'STARTTLS only' at the moment. */
+     * 53 so it is blocked here. */
 	if (context->resolution_type == GETDNS_RESOLUTION_RECURSING &&
 		tls_only_is_in_transports_list(context) == 1)
 		return GETDNS_RETURN_BAD_CONTEXT;
@ -2823,12 +2807,6 @@ getdns_context_get_dns_transport(getdns_context *context,
        else
            return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
    }
-    if (transports[0] == GETDNS_TRANSPORT_STARTTLS) {
-        if (count == 2 && transports[1] == GETDNS_TRANSPORT_TCP)
-            *value = GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN;
-        else
-            return GETDNS_RETURN_WRONG_TYPE_REQUESTED;
-    }
    return GETDNS_RETURN_GOOD;
 }

--- a/src/context.h
+++ b/src/context.h
@ -97,7 +97,6 @@ typedef struct getdns_upstream {
 	getdns_transport_list_t  transport;
 	SSL*                     tls_obj;
 	getdns_tls_hs_state_t    tls_hs_state;
-	getdns_dns_req *         starttls_req;
 	getdns_eventloop_event   event;
 	getdns_eventloop        *loop;
 	getdns_tcp_state         tcp;
--- a/src/getdns/getdns.h.in
+++ b/src/getdns/getdns.h.in
@ -185,7 +185,6 @@ typedef enum getdns_transport_list_t {
 	GETDNS_TRANSPORT_UDP = 1200,
 	GETDNS_TRANSPORT_TCP = 1201,
 	GETDNS_TRANSPORT_TLS = 1202,
-	GETDNS_TRANSPORT_STARTTLS = 1203
 } getdns_transport_list_t;

 /**
@ -195,7 +194,6 @@ typedef enum getdns_transport_list_t {
 #define GETDNS_TRANSPORT_UDP_TEXT "See getdns_context_set_dns_transport_list()"
 #define GETDNS_TRANSPORT_TCP_TEXT "See getdns_context_set_dns_transport_list()"
 #define GETDNS_TRANSPORT_TLS_TEXT "See getdns_context_set_dns_transport_list()"
-#define GETDNS_TRANSPORT_STARTTLS_TEXT "See getdns_context_set_dns_transport_list()"
 /** @}
 */

--- a/src/getdns/getdns_extra.h.in
+++ b/src/getdns/getdns_extra.h.in
@ -399,8 +399,6 @@ getdns_context_get_tls_authentication(getdns_context *context,
 #define GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN_TEXT "See getdns_context_set_dns_transport()"
 #define GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN 545
 #define GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN_TEXT "See getdns_context_set_dns_transport()"
-#define GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN 546
-#define GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN_TEXT "See getdns_context_set_dns_transport()"

 #ifdef __cplusplus
 }
--- a/src/stub.c
+++ b/src/stub.c
@ -256,81 +256,6 @@ match_and_process_server_cookie(
 	return 0;
 }

-static int
-create_starttls_request(getdns_dns_req *dnsreq, getdns_upstream *upstream,
-                        getdns_eventloop *loop)
-{
-	getdns_return_t r = GETDNS_RETURN_GOOD;
-	getdns_dict* extensions = getdns_dict_create_with_context(dnsreq->context);
-	if (!extensions) {
-	    return 0;
-	}
-	r = getdns_dict_set_int(extensions, "specify_class", GLDNS_RR_CLASS_CH);
-	if (r != GETDNS_RETURN_GOOD) {
-	    getdns_dict_destroy(extensions);
-		return 0;
-	}
-	upstream->starttls_req = _getdns_dns_req_new(dnsreq->context, loop,
-	    "STARTTLS", GETDNS_RRTYPE_TXT, extensions);
-	/*TODO[TLS]: TO BIT*/
-	if (upstream->starttls_req == NULL)
-		return 0;
-	getdns_dict_destroy(extensions);
-
-	upstream->starttls_req->netreqs[0]->upstream = upstream;
-	return 1;
-}
-
-static int
-is_starttls_response(getdns_network_req *netreq) 
-{
-	_getdns_rr_iter rr_iter_storage, *rr_iter;
-	_getdns_rdf_iter rdf_iter_storage, *rdf_iter;
-	uint16_t rr_type;
-	gldns_pkt_section section;
-	uint8_t starttls_name_space[256], *starttls_name;
-	uint8_t owner_name_space[256], *owner_name;
-	size_t starttls_name_len = sizeof(starttls_name_space);
-	size_t owner_name_len = sizeof(owner_name_space);;
-
-	/* Servers that are not STARTTLS aware will refuse the CH query*/
-	if (GLDNS_RCODE_NOERROR != GLDNS_RCODE_WIRE(netreq->response))
-		return 0;
-
-	if (GLDNS_ANCOUNT(netreq->response) != 1)
-		return 0;
-
-	for ( rr_iter = _getdns_rr_iter_init(&rr_iter_storage
-	                                        , netreq->response
-	                                        , netreq->response_len)
-	    ; rr_iter
-	    ; rr_iter = _getdns_rr_iter_next(rr_iter)) {
-
-		section = _getdns_rr_iter_section(rr_iter);
-		rr_type = gldns_read_uint16(rr_iter->rr_type);
-		if (section != GLDNS_SECTION_ANSWER
-		    || rr_type != GETDNS_RRTYPE_TXT)
-			continue;
-
-		owner_name = _getdns_owner_if_or_as_decompressed(
-		    rr_iter, owner_name_space, &owner_name_len);
-		if (!_getdns_dname_equal(netreq->owner->name, owner_name))
-			continue;
-
-		if (!(rdf_iter = _getdns_rdf_iter_init(
-		     &rdf_iter_storage, rr_iter)))
-			continue;
-
-		if ((starttls_name = _getdns_rdf_if_or_as_decompressed(
-		    rdf_iter, starttls_name_space, &starttls_name_len)) &&
-		    _getdns_dname_equal(starttls_name, owner_name)) 
-			return 1;
-
-		return 0;
-	}
-	return 0;
-}
-
 /** best effort to set nonblocking */
 static void
 getdns_sock_nonblock(int sockfd)
@ -361,8 +286,7 @@ tcp_connect(getdns_upstream *upstream, getdns_transport_list_t transport)
 	getdns_sock_nonblock(fd);
 #ifdef USE_TCP_FASTOPEN
 	/* Leave the connect to the later call to sendto() if using TCP*/
-	if (transport == GETDNS_TRANSPORT_TCP || 
-	    transport == GETDNS_TRANSPORT_STARTTLS)
+	if (transport == GETDNS_TRANSPORT_TCP)
 		return fd;
 #elif USE_OSX_TCP_FASTOPEN
 	sa_endpoints_t endpoints;
@ -541,15 +465,6 @@ stub_timeout_cb(void *userarg)
 	DEBUG_STUB("*** %s(%p)\n", __FUNCTION__, userarg);
 	getdns_network_req *netreq = (getdns_network_req *)userarg;

-	/* For now, mark a STARTTLS timeout as a failured negotiation and allow 
-	 * fallback but don't close the connection. */
-	if (netreq->owner == netreq->upstream->starttls_req) {
-		netreq->upstream->tls_hs_state = GETDNS_HS_FAILED;
-		stub_next_upstream(netreq);
-		stub_cleanup(netreq);
-		return;
-	}
-
 	stub_next_upstream(netreq);
 	stub_cleanup(netreq);
 	if (netreq->fd >= 0) close(netreq->fd);
@ -813,27 +728,22 @@ static int
 tls_requested(getdns_network_req *netreq)
 {
 	return (netreq->transports[netreq->transport_current] ==
-	        GETDNS_TRANSPORT_TLS ||
-	        netreq->transports[netreq->transport_current] ==
-	        GETDNS_TRANSPORT_STARTTLS) ?
+	        GETDNS_TRANSPORT_TLS) ?
 	        1 : 0;
 }

 static int
 tls_should_write(getdns_upstream *upstream)
 {
-	/* Should messages be written on TLS upstream. Remember that for STARTTLS
-	 * the first message should got over TCP as the handshake isn't started yet.*/
-	return ((upstream->transport == GETDNS_TRANSPORT_TLS ||
-	         upstream->transport == GETDNS_TRANSPORT_STARTTLS) &&
+	/* Should messages be written on TLS upstream. */
+	return ((upstream->transport == GETDNS_TRANSPORT_TLS) &&
 	         upstream->tls_hs_state != GETDNS_HS_NONE) ? 1 : 0;
 }

 static int
 tls_should_read(getdns_upstream *upstream)
 {
-	return ((upstream->transport == GETDNS_TRANSPORT_TLS ||
-	         upstream->transport == GETDNS_TRANSPORT_STARTTLS) &&
+	return ((upstream->transport == GETDNS_TRANSPORT_TLS) &&
 	       !(upstream->tls_hs_state == GETDNS_HS_FAILED ||
 	         upstream->tls_hs_state == GETDNS_HS_NONE)) ? 1 : 0;
 }
@ -842,8 +752,7 @@ static int
 tls_failed(getdns_upstream *upstream)
 {
 	/* No messages should be scheduled onto an upstream in this state */
-	return ((upstream->transport == GETDNS_TRANSPORT_TLS ||
-	         upstream->transport == GETDNS_TRANSPORT_STARTTLS) &&
+	return ((upstream->transport == GETDNS_TRANSPORT_TLS) &&
 	         upstream->tls_hs_state == GETDNS_HS_FAILED) ? 1 : 0;
 }

@ -1430,7 +1339,6 @@ upstream_read_cb(void *userarg)
 	DEBUG_STUB("--- READ: %s\n", __FUNCTION__);
 	getdns_upstream *upstream = (getdns_upstream *)userarg;
 	getdns_network_req *netreq;
-	getdns_dns_req *dnsreq;
 	int q;
 	uint16_t query_id;
 	intptr_t query_id_intptr;
@ -1474,25 +1382,6 @@ upstream_read_cb(void *userarg)
 		 * on a working connection until we hit a problem.*/
 		upstream->upstreams->current = 0;

-		if (netreq->owner == upstream->starttls_req) {
-			dnsreq = netreq->owner;
-			if (is_starttls_response(netreq)) {
-				upstream->tls_obj = tls_create_object(dnsreq,
-				                                      upstream->fd,
-				                                      upstream);
-				if (upstream->tls_obj == NULL) 
-					upstream->tls_hs_state = GETDNS_HS_FAILED;
-				upstream->tls_hs_state = GETDNS_HS_WRITE;
-			} else 
-				upstream->tls_hs_state = GETDNS_HS_FAILED;
-
-			/* Now reschedule the writes on this connection */
-			GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
-			GETDNS_SCHEDULE_EVENT(upstream->loop, upstream->fd,
-			    netreq->owner->context->timeout,
-			    getdns_eventloop_event_init(&upstream->event, upstream,
-			     NULL, upstream_write_cb, NULL));
-		}
 		netreq->debug_end_time = _getdns_get_time_as_uintt64();
 		/* This also reschedules events for the upstream*/
 		stub_cleanup(netreq);
@ -1501,7 +1390,6 @@ upstream_read_cb(void *userarg)
 		if (netreq->event.read_cb)
 			upstream_reschedule_netreq_events(upstream, netreq);

-		if (netreq->owner != upstream->starttls_req)
 		_getdns_check_dns_req_complete(netreq->owner);
 	}
 }
@ -1582,20 +1470,6 @@ upstream_write_cb(void *userarg)
 			GETDNS_SCHEDULE_EVENT(upstream->loop,
 			    upstream->fd, TIMEOUT_FOREVER, &upstream->event);
 		}
-		if (upstream->starttls_req && netreq->owner == upstream->starttls_req) {
-			/* Now deschedule any further writes on this connection until we get
-			 * the STARTTLS answer*/
-			GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
-			upstream->event.write_cb = NULL;
-			GETDNS_SCHEDULE_EVENT(upstream->loop,
-			    upstream->fd, TIMEOUT_FOREVER, &upstream->event);
-		} else if (upstream->starttls_req) {
-			/* Delay the cleanup of the STARTTLS req until the write of the next
-			 * req in the queue since for sync req, the event on a request is
-			 * used for the callback that writes the next req. */
-			_getdns_dns_req_free(upstream->starttls_req);
-			upstream->starttls_req = NULL;
-		}
 		/* With synchonous lookups, schedule the read locally too */
 		if (netreq->event.write_cb) {
 			GETDNS_CLEAR_EVENT(dnsreq->loop, &netreq->event);
@ -1603,7 +1477,7 @@ upstream_write_cb(void *userarg)
 			    dnsreq->loop, upstream->fd, dnsreq->context->timeout,
 			    getdns_eventloop_event_init(&netreq->event, netreq,
 			    netreq_upstream_read_cb,
-			    (upstream->write_queue && !upstream->starttls_req ?
+			    (upstream->write_queue ?
 			      netreq_upstream_write_cb : NULL),
 			    stub_timeout_cb));
 		}
@ -1639,12 +1513,6 @@ upstream_transport_valid(getdns_upstream *upstream,
 	    upstream->tcp.write_error != 0) {
 		return 0;
 	}
-	/* Allow TCP messages to be sent on a STARTTLS upstream that hasn't
-	 * upgraded to avoid opening a new connection if one is aleady open. */
-	if (transport == GETDNS_TRANSPORT_TCP &&
-	    upstream->transport == GETDNS_TRANSPORT_STARTTLS &&
-	    upstream->tls_hs_state == GETDNS_HS_FAILED)
-		return 1;
 	/* Otherwise, transport must match, and not have failed */
 	if (upstream->transport != transport)
 		return 0;
@ -1740,28 +1608,6 @@ upstream_connect(getdns_upstream *upstream, getdns_transport_list_t transport,
 		upstream->loop = dnsreq->context->extension;
 		upstream->fd = fd;
 		break;
-	case GETDNS_TRANSPORT_STARTTLS:
-		/* Use existing if available. Let the fallback code handle it if
-		 * STARTTLS isn't availble. */
-		if (upstream->fd != -1)
-			return upstream->fd;
-		fd = tcp_connect(upstream, transport);
-		if (fd == -1) return -1;
-		if (!create_starttls_request(dnsreq, upstream, dnsreq->loop))
-			return GETDNS_RETURN_GENERIC_ERROR;
-		getdns_network_req *starttls_netreq = upstream->starttls_req->netreqs[0];
-		upstream->loop = dnsreq->context->extension;
-		upstream->fd = fd;
-		upstream_schedule_netreq(upstream, starttls_netreq);
-		/* Schedule at least the timeout locally, but use less than half the 
-		 * context value so by default this timeouts before the TIMEOUT_TLS.
-		 * And also the write if we perform a synchronous lookup */
-		GETDNS_SCHEDULE_EVENT(
-		    dnsreq->loop, upstream->fd, dnsreq->context->timeout / 3,
-		    getdns_eventloop_event_init(&starttls_netreq->event,
-		    starttls_netreq, NULL, (dnsreq->loop != upstream->loop
-		    ? netreq_upstream_write_cb : NULL), stub_timeout_cb));
-		break;
 	default:
 		return -1;
 		/* Nothing to do*/
@ -1909,9 +1755,7 @@ upstream_schedule_netreq(getdns_upstream *upstream, getdns_network_req *netreq)
 		GETDNS_CLEAR_EVENT(upstream->loop, &upstream->event);
 		upstream->event.timeout_cb = NULL;
 		upstream->event.write_cb = upstream_write_cb;
-		if (upstream->tls_hs_state == GETDNS_HS_WRITE ||
-		    (upstream->starttls_req &&
-		     upstream->starttls_req->netreqs[0] == netreq)) {
+		if (upstream->tls_hs_state == GETDNS_HS_WRITE) {
 			/* Set a timeout on the upstream so we can catch failed setup*/
 			/* TODO[TLS]: When generic fallback supported, we should decide how
 			 * to split the timeout between transports. */
@ -1955,7 +1799,6 @@ _getdns_submit_stub_request(getdns_network_req *netreq)
 		    stub_udp_write_cb: stub_tcp_write_cb), stub_timeout_cb));
 		return GETDNS_RETURN_GOOD;

-	case GETDNS_TRANSPORT_STARTTLS:
 	case GETDNS_TRANSPORT_TLS:
 	case GETDNS_TRANSPORT_TCP:
 		upstream_schedule_netreq(netreq->upstream, netreq);
--- a/src/test/Makefile.in
+++ b/src/test/Makefile.in
@ -58,7 +58,7 @@ CHECK_EVENT_PROG=@CHECK_EVENT_PROG@
 CHECK_EV_PROG=@CHECK_EV_PROG@

 CC=@CC@
-CFLAGS=-I$(srcdir)/.. -I$(srcdir) -I.. $(cflags) @CFLAGS@ 
+CFLAGS=-I$(srcdir)/.. -I$(srcdir) -I.. $(cflags) @CFLAGS@ @CPPFLAGS@
 LDFLAGS=-L.. @LDFLAGS@
 LDLIBS=../libgetdns.la @LIBS@
 CHECK_LIBS=@CHECK_LIBS@
--- a/src/test/getdns_query.c
+++ b/src/test/getdns_query.c
@ -345,9 +345,6 @@ fill_transport_list(getdns_context *context, char *transport_list_str,
 			case 'L': 
 				transports[i] = GETDNS_TRANSPORT_TLS;
 				break;
-			case 'S': 
-				transports[i] = GETDNS_TRANSPORT_STARTTLS;
-				break;
 			default:
 				fprintf(stderr, "Unrecognised transport '%c' in string %s\n", 
 				       *(transport_list_str + i), transport_list_str);
@ -360,7 +357,7 @@ fill_transport_list(getdns_context *context, char *transport_list_str,
 void
 print_usage(FILE *out, const char *progname)
 {
-	fprintf(out, "usage: %s [@<server>] [+extension] [<name>] [<type>]\n",
+	fprintf(out, "usage: %s [@<server>][~<server_hostname>] [+extension] [<name>] [<type>]\n",
 	    progname);
 	fprintf(out, "options:\n");
 	fprintf(out, "\t-a\tPerform asynchronous resolution "
@ -394,11 +391,10 @@ print_usage(FILE *out, const char *progname)
 	fprintf(out, "\t-O\tSet transport to TCP only keep connections open\n");
 	fprintf(out, "\t-L\tSet transport to TLS only keep connections open\n");
 	fprintf(out, "\t-E\tSet transport to TLS with TCP fallback only keep connections open\n");
-	fprintf(out, "\t-R\tSet transport to STARTTLS with TCP fallback only keep connections open\n");
 	fprintf(out, "\t-u\tSet transport to UDP with TCP fallback\n");
 	fprintf(out, "\t-U\tSet transport to UDP only\n");
 	fprintf(out, "\t-l <transports>\tSet transport list. List can contain 1 of each of the characters\n");
-	fprintf(out, "\t\t\t U T L S for UDP, TCP, TLS or STARTTLS e.g 'UT' or 'LST' \n");
+	fprintf(out, "\t\t\t U T L S for UDP, TCP or TLS e.g 'UT' or 'LTU' \n");

 }

@ -790,10 +786,6 @@ getdns_return_t parse_args(int argc, char **argv)
 				getdns_context_set_dns_transport(context,
 				    GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN);
 				break;
-			case 'R':
-				getdns_context_set_dns_transport(context,
-				    GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN);
-				break;
 			case 'u':
 				getdns_context_set_dns_transport(context,
 				    GETDNS_TRANSPORT_UDP_FIRST_AND_FALL_BACK_TO_TCP);
--- a/src/test/tests_stub_async.c
+++ b/src/test/tests_stub_async.c
@ -47,7 +47,6 @@
 #define TRANSPORT_PIPELINE "pipeline"
 #define TRANSPORT_TLS_KEEPOPEN "tls"
 #define TRANSPORT_TLS_TCP_KEEPOPEN "dns-over-tls"
-#define TRANSPORT_STARTTLS_TCP_KEEPOPEN "starttls"
 #define RESOLUTION_STUB "stub"
 #define RESOLUTION_REC "rec"

@ -111,8 +110,6 @@ main(int argc, char** argv)
 		getdns_context_set_dns_transport(this_context, GETDNS_TRANSPORT_TLS_ONLY_KEEP_CONNECTIONS_OPEN);
 	else if (strncmp(transport, TRANSPORT_TLS_TCP_KEEPOPEN, 12) == 0) 
 		getdns_context_set_dns_transport(this_context, GETDNS_TRANSPORT_TLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN);
-	else if (strncmp(transport, TRANSPORT_STARTTLS_TCP_KEEPOPEN, 8) == 0) 
-		getdns_context_set_dns_transport(this_context, GETDNS_TRANSPORT_STARTTLS_FIRST_AND_FALL_BACK_TO_TCP_KEEP_CONNECTIONS_OPEN);
 	else if (strncmp(transport, TRANSPORT_UDP_TCP, 3) != 0) {
 		fprintf(stderr, "Invalid transport %s, must be one of udp, udp_tcp, tcp or pipeline\n", transport);
 		exit(EXIT_FAILURE);
--- a/src/test/tests_transports.sh
+++ b/src/test/tests_transports.sh
@ -49,7 +49,7 @@ usage () {
 	echo "it can be used to check the basic functionality for now. It is recommended that"
 	echo "local or known test servers are used, but it should work with the default servers:"
 	echo " - Google Open DNS for TCP and UDP only "
-	echo  "- the getdnsapi.net test server Open Resolver for TLS, STARTTLS, TCP and UDP"
+	echo  "- the getdnsapi.net test server Open Resolver for TLS, TCP and UDP"
 	echo "NOTE: By default this script assumes it is located in the same directory"
 	echo "as the getdns_query binary. If it is not, then the location of the binary"
 	echo "can be specified via the command line option."
@ -57,7 +57,7 @@ usage () {
 	echo "usage: test_transport.sh"
 	echo "         -p   path to getdns_query binary"
 	echo "         -s   server configured for only TCP and UDP"
-	echo "         -t   server configured for TLS, STARTTLS, TCP and UDP"
+	echo "         -t   server configured for TLS, TCP and UDP"
 	echo "              (This must include the hostname e.g. 185.49.141.38~getdnsapi.net)"
 }

@ -79,7 +79,6 @@ GOOD_QUERIES=(
 "-s -A -q getdnsapi.net -l T      @${SERVER_IP}    "
 "-s -A -q getdnsapi.net -l L      @${TLS_SERVER_IP_NO_NAME}"
 "-s -A -q getdnsapi.net -l L -m   @${TLS_SERVER_IP}")
-#"-s -A -q getdnsapi.net -l S      @${TLS_SERVER_IP_NO_NAME}")

 GOOD_FALLBACK_QUERIES=(
 "-s -A -q getdnsapi.net -l LT     @${SERVER_IP}"
@ -91,7 +90,6 @@ GOOD_FALLBACK_QUERIES=(

 NOT_AVAILABLE_QUERIES=(
 "-s -A -q getdnsapi.net -l L      @${SERVER_IP}    "
-#"-s -A -q getdnsapi.net -l S      @${SERVER_IP}    "
 "-s -A -q getdnsapi.net -l L -m   @${TLS_SERVER_IP_NO_NAME}    "
 "-s -G -q DNSKEY getdnsapi.net -l U   @${SERVER_IP} -b 512 -D")

--- a/src/types-internal.h
+++ b/src/types-internal.h
@ -116,8 +116,8 @@ struct getdns_upstream;
 #define TIMEOUT_FOREVER ((int64_t)-1)
 #define ASSERT_UNREACHABLE 0

-#define GETDNS_TRANSPORTS_MAX 4
-#define GETDNS_UPSTREAM_TRANSPORTS 3
+#define GETDNS_TRANSPORTS_MAX 3
+#define GETDNS_UPSTREAM_TRANSPORTS 2

 /** @}
 */