interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Change pins for IPv6 addresses for Sinodun privacy servers! 

Improve logging of auth failure
This commit is contained in:
Sara Dickinson 2017-02-23 16:48:16 +00:00
parent ff4ecd5b39
commit ebdf657fd7
2 changed files with 9 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
src/stub.c
View File

@ -868,20 +868,19 @@ tls_verify_callback(int preverify_ok, X509_STORE_CTX *ctx)
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err, STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd, err,
X509_verify_cert_error_string(err)); X509_verify_cert_error_string(err));
#endif #endif
#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
if (!preverify_ok && !upstream->tls_fallback_ok)
DEBUG_DAEMON("%s %s : Conn failed : Transport=TLS - *Failure* - (%d) \"%s\"\n",
STUB_DEBUG_DAEMON, upstream->addr_str, err,
X509_verify_cert_error_string(err));
#endif
/* First deal with the hostname authentication done by OpenSSL. */ /* First deal with the hostname authentication done by OpenSSL. */
#ifdef X509_V_ERR_HOSTNAME_MISMATCH #ifdef X509_V_ERR_HOSTNAME_MISMATCH
/*Report if error is hostname mismatch*/ /*Report if error is hostname mismatch*/
if (err == X509_V_ERR_HOSTNAME_MISMATCH) { if (err == X509_V_ERR_HOSTNAME_MISMATCH && upstream->tls_fallback_ok)
if (upstream->tls_fallback_ok)
DEBUG_STUB("%s %-35s: FD: %d WARNING: Proceeding even though hostname validation failed!\n", DEBUG_STUB("%s %-35s: FD: %d WARNING: Proceeding even though hostname validation failed!\n",
STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd); STUB_DEBUG_SETUP_TLS, __FUNC__, upstream->fd);
#if defined(DAEMON_DEBUG) && DAEMON_DEBUG
else
DEBUG_DAEMON("%s %s : Conn failed : Transport=TLS - *Failure* - Hostname mismatch\n",
STUB_DEBUG_DAEMON, upstream->addr_str);
#endif
}
#else #else
/* if we weren't built against OpenSSL with hostname matching we /* if we weren't built against OpenSSL with hostname matching we
* could not have matched the hostname, so this would be an automatic * could not have matched the hostname, so this would be an automatic

4
src/tools/stubby.conf
View File

@ -26,14 +26,14 @@
, tls_auth_name: "dnsovertls.sinodun.com" , tls_auth_name: "dnsovertls.sinodun.com"
, tls_pubkey_pinset: , tls_pubkey_pinset:
[ { digest: "sha256" [ { digest: "sha256"
, value: 0xA132D34D34C181765337C70B83E3697B9524DDDB05A7118B43C0284033D5A0CC , value: 0xEB694ABBD1EC0D56F288F7A70299DCE2C7E64984C73957C580BDE9C81F9C04BE
} ] } ]
}, },
{ address_data: 2001:610:1:40ba:145:100:185:16 { address_data: 2001:610:1:40ba:145:100:185:16
, tls_auth_name: "dnsovertls1.sinodun.com" , tls_auth_name: "dnsovertls1.sinodun.com"
, tls_pubkey_pinset: , tls_pubkey_pinset:
[ { digest: "sha256" [ { digest: "sha256"
, value: 0x659B41EB08DCC70EE9D624E6219C76EE31954DA1548B0C8519EAE5228CB24150 , value: 0x704D9E7002DE13907EBAB2610EB26554599FDFC7092C0BEA7A438DBE3BE9A940
} ] } ]
}, },
{ address_data: 2a04:b900:0:100::38 { address_data: 2a04:b900:0:100::38