interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,805 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

317 Commits

Author SHA1 Message Date
Jim Hague ff9cde2087 Remove SSL type from pubkey-pinning interface. 2018-11-20 15:49:26 +00:00
Jim Hague 1b0a09a23f Wrap hostname/certificate verification. 
This removes the last OpenSSL items from stub.c.
 2018-11-20 14:53:31 +00:00
Jim Hague 5d353d9efb To aid proof-of-concept work, insist on OpenSSL 1.1.1 or later. 
Remove ssl_dane as now surplus to requirements.
 2018-11-16 17:58:29 +00:00
Jim Hague 0fd6fd4c5c Replace (one instance of) SSL_get_peer_certificate(). 2018-11-16 17:09:26 +00:00
Jim Hague 4b8c9d1bd7 Replace SSL_get_version(). 2018-11-15 17:53:37 +00:00
Jim Hague 09019bee75 Replace SSL_write(). 2018-11-15 17:53:29 +00:00
Jim Hague e7453522d5 Replace SSL_read(). 2018-11-15 17:51:52 +00:00
Jim Hague e22c01e212 tls_do_handshake: move handshake and check for new session into abstraction layer. 2018-11-15 14:28:04 +00:00
Jim Hague ffd1136e94 tls_create_object(): Move setting client state and auto-retry into connection_new and add setting connection session. 2018-11-15 13:23:00 +00:00
Jim Hague d9fdd4c10d Abstracting TLS; let's start with context only. 
Change data types in context.h and fix up context.c. Do minimal fixups to stub.c.
 2018-11-15 11:01:13 +00:00
Willem Toorop e481273ff4 Last minute update 2018-05-11 13:20:08 +02:00
Emery Hemingway a6ec2b2449 No TCP sendto without TCP_FASTOPEN 2018-05-08 14:58:17 +02:00
Willem Toorop 8a2fc5f5a9 max_udp_backoff should not be public 
At least, not with this point release
 2018-03-05 12:42:27 +01:00
Robert Groenenberg eec6ec29dd [UDP] try upstreams in round-robin fashion when all yupstreams have failed 2018-03-05 12:03:20 +01:00
Robert Groenenberg f787c87137 Reset back_off on successful query 2018-03-05 12:02:01 +01:00
Robert Groenenberg a0fb2c8424 Limit back_off value to avoid very long retry interval 2018-03-05 12:01:52 +01:00
Willem Toorop fd5e0cdc02 Merge branch 'bugfix/388-endless-fallback-loop' into release/1.4.1 2018-03-05 11:52:36 +01:00
Willem Toorop b178f94505 Don't retry an already tried upstream 2018-03-02 15:56:00 +01:00
Daniel Kahn Gillmor 9301f8970c Fix minor spelling and formatting. 
These issues were found with the codespell tool.
 2018-02-23 14:12:11 -08:00
Willem Toorop 223e85bc02 Merge branch 'features/tls_curves_list' into release/1.4.0 2018-02-12 16:04:49 +01:00
Willem Toorop 9a4e389946 Better #ifdef select when to use X509_check_host 2018-02-12 15:46:42 +01:00
Willem Toorop 401aa2e3b8 Specify the supported curves with TLS 2018-02-12 15:40:17 +01:00
Willem Toorop c3e4061fe2 hostname auth with libressl 2018-02-09 15:18:44 +01:00
Willem Toorop c033e3f1a3 Merge branch 'libressl' into release/1.4.0 2018-02-08 14:04:02 +01:00
Willem Toorop bf1f01c87e Syntactic mod to minimizing changes with before PR 
So changes are highlighted in side-by-side views.
 2018-02-08 12:02:48 +01:00
Willem Toorop 7af885396f Merge branch 'release/1.4.0' into release/1.4.0-merge-PR-377 2018-02-08 11:46:28 +01:00
Willem Toorop 87fec7f9b4 Merge branch 'feature/monitor-tool' into release/1.4.0 2018-02-07 17:11:28 +01:00
Willem Toorop a72359e058 Comply to new style transport logging 2018-02-07 17:08:55 +01:00
Willem Toorop 7d4ccabc7f Merge branch 'bugfix/opportunistic_fallabck' into release/1.4.0-merge-PR-377 2018-02-07 17:00:25 +01:00
Willem Toorop 0eba73a945 LibreSSL like OpenSSL < 1.0.2 2018-02-07 16:42:11 +01:00
Willem Toorop c28a293c9f "Pinset validation failure" error when it occurred 2018-02-07 14:38:31 +01:00
Willem Toorop 9c5a93bbdf Merge branch 'develop' into devel/spki_pinset_via_tlsa_checking 2018-02-07 14:12:24 +01:00
Willem Toorop 2e03d3799c Memory leak on some TLS creation error cases 2018-01-30 12:23:23 +01:00
Sara Dickinson 7e3439efbc Improve handling of opportunistic back-off. If other transports are working, don’t forcibly promote failed upstreams just wait for the re-try timer. 
Clean up logs.
 2018-01-24 13:13:14 +00:00
Jim Hague 0291e205fd Add TLS 1.3 test. 
Add a new item tls_version to call_reporting, containing the OpenSSL version string for the name of the protocol used for the connection.

The test does a normal lookup, but first sets the cipher list to TLS1.3 only ciphers. This will cause a Bad Context error at search time, so we can tell if the underlying OpenSSL library lacks TLS 1.3. The check the call reporting for a TLS version of "TLSv1.3".
 2018-01-19 15:56:40 +00:00
Jim Hague 3666d994a7 Add 'keepalive' test and supporting changes to getdns library. 
Checking for server support for keepalive means we need to know if the server did send a keepalive option to the client. This information is not currently exposed in getdns, so add a flag 'server_keepalive_received' to call_reporting. This is 0 if not received, 1 if received. If received, the actual timeout is in 'idle timeout in ms', though watch out for the overflow alternative.
 2018-01-17 15:17:20 +00:00
Norbert Copones 0fa6d1fe2d src/stub.c: LibreSSL has hostname verification turned on by default 2018-01-12 05:44:27 +08:00
Willem Toorop 712617e568 Dead assignment (without stub debugging) 2018-01-10 13:54:18 +01:00
Willem Toorop 7c5bdd5431 Use danessl submodule when OpenSSL version between 1.0.0 and 1.1.0 2018-01-10 12:47:14 +01:00
Willem Toorop 2471f43dea Less logging with successful authenticated upstreams 2018-01-04 16:15:50 +01:00
Willem Toorop 540735a956 Check pins with DANE functions when available 2018-01-04 15:58:09 +01:00
Willem Toorop ae38a29a50 Upstream specific tls_cipher_list's 2017-12-21 12:30:15 +01:00
Willem Toorop 6afb02b2f1 Bugfix #359: edns_client_subnet_private should set family 
Thanks Daniel Areiza
 2017-11-23 13:20:42 +01:00
Willem Toorop 439f41149b Last rename + explicit EMFILE check replacement 2017-11-03 16:42:38 +01:00
Willem Toorop 4508ec77fb Few more renames 2017-11-03 16:26:19 +01:00
Willem Toorop 3b7b83e309 Review comments from Jim 2017-11-03 15:41:31 +01:00
Willem Toorop a8fac29a66 Handle more harmless I/O error cases + 
- never exit on I/O errors
- never stop listening on I/O errors
- extended platfrom.[ch] with _getdns_strerror()
 2017-11-03 13:50:13 +01:00
Willem Toorop fc073267f1 Dead assignment 2017-10-19 14:14:37 +02:00
Sara Dickinson 8886c5317d Fix 2 bugs: 
- backoff time was not incrementing correctly
- best authentication information state was not being kept for shutdowns during setup (needed if e.g. hostname authentication failed during handshake).
 2017-10-19 10:36:46 +01:00
Willem Toorop eedd1a1448 Eat incoming garbage on statefull transports 
Can deal with timed out queries that are answered anyway.
+ reset the upstream on failure always
  (since requests are rescheduled for fallback by upstream_failed now anyway)
 2017-10-17 16:58:01 +02:00