interesting
/
getdns
mirror of https://github.com/getdnsapi/getdns.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
2,948 Commits 58 Branches 69 Tags 14 MiB
Commit Graph

2172 Commits

Author SHA1 Message Date
Willem Toorop 7438de712a Issue #422: Update server & client TFO 
Seems to work for TLS now too.
At least on Linux.
Thanks Craig Andrews
 2019-03-15 12:13:38 +01:00
Willem Toorop 99d15b999c Issue #423: Fix insecure delegation detection while scheduling 2019-03-13 14:21:06 +01:00
Jim Hague 968e914e94 Avoid build errors if $sysconfdir or $runstatedir contain a space. 
Building on Windows was failing if sysconfdir was, e.g. C:\Program Files.
 2019-02-21 14:37:25 +00:00
Willem Toorop acc9b1cbd5 Typo and unused parameter warning 2019-02-15 13:46:28 +01:00
Willem Toorop 30367dada2 space needed for unit test to succeed 2019-02-15 13:43:28 +01:00
Willem Toorop 034b775e5c DOA & AMTRELAY RR types implementation 2019-02-15 13:36:39 +01:00
Willem Toorop 71b773ab2f '"' needs to be escaped too in json 2019-02-15 10:44:49 +01:00
Willem Toorop c3d0afd47d Issue #419: Escape backslashes when printing json 
Thanks boB Rudis
 2019-02-15 10:29:39 +01:00
Willem Toorop 97ac5d3ddc Merge branch 'develop' of github.com:getdnsapi/getdns into develop 2019-02-04 15:46:46 +01:00
Willem Toorop 0fef131e9b bugfix #418 duplicate ,'s in Windows build 2019-02-04 15:46:10 +01:00
Havard Eidnes c68f5a7a8d Fix various build warnings uncovered on NetBSD w/pkgsrc. 
The isxxxx() and toxxxx() functions have a limited well-defined
input value range, namely that of "unsigned char" plus EOF.  Cast
args accordingly.

Bring strncasecmp() into scope by including <strings.h>.
 2019-01-28 11:24:10 +01:00
Willem Toorop 7c1b43b420 Fix sole pinset validation with ssl_dane library 2019-01-23 14:33:35 +00:00
Willem Toorop cad7eb2461 Probably the strlcpy 2019-01-23 14:06:04 +01:00
Willem Toorop f72fe60035 Cannot reuse qname (via name) after read_line_cb.. 
.. returns.
 2019-01-23 13:55:29 +01:00
Willem Toorop e657024531 Run all unit tests again 2019-01-23 12:50:44 +01:00
Willem Toorop 35f2ce37c0 Restore original serve delays 2019-01-23 12:49:22 +01:00
Willem Toorop c4bd91b196 Merge remote-tracking branch 'jim/feature/abstract-tls' into devel/abstract-tls 2019-01-23 12:46:07 +01:00
Willem Toorop d71dccaf2c - Nested getdns_context_runt() prevention 
- Fix address query with qname and missing qtype for -I and -F too
- disable tiny delay again
 2019-01-23 12:43:20 +01:00
Jim Hague cdc0d43315 Correct auth state thinko. Spotter credit to Willem. 2019-01-23 11:34:02 +00:00
Willem Toorop 8980f5f5ee Fix nested scheduling with getdns_query -F and -I 
+ add 1 millisecond delay between batched queries, just because...
 2019-01-23 11:41:00 +01:00
Willem Toorop 0af9a629f4 Does smaller delay make a difference? 2019-01-23 10:50:57 +01:00
Willem Toorop ac379787a2 Reassure clang static analyzer that all is OK 2019-01-23 10:29:20 +01:00
Willem Toorop 79fbef07d8 type specifier misplaced by #ifdef unclarity 2019-01-23 10:27:17 +01:00
Jim Hague 814ee2c4cf Fix more gcc 8 warnings. 
As warnings, these cause builds to fail when running the test suite.
 2019-01-17 11:23:39 +00:00
Jim Hague 09ca9a826b Fix gcc 8 warnings. 2019-01-15 17:13:13 +00:00
Jim Hague 9024fd7736 Fix build with INTERCEPT_COM_DS defined. 
Decide that layout of handling write results is more readable, and use with read too.
 2019-01-15 15:34:33 +00:00
Jim Hague 8609a35e5b GnuTLS: Add support for TLS 1.3. 2019-01-15 11:31:22 +00:00
Jim Hague ccd6c3592d GnuTLS: Can't set priority for SSL3. 2019-01-15 11:30:56 +00:00
Jim Hague 24774fefd6 Remove 'upstream' association with connection, now unused. 2019-01-15 11:01:58 +00:00
Jim Hague 3fe0c94357 Merge branch 'develop' into feature/abstract-tls 2019-01-14 19:09:20 +00:00
Jim Hague 51cb570809 Re-add support for OpenSSL prior to 1.1, but now require at least 1.0.2 and drop LibreSSL support. 2019-01-11 11:16:48 +00:00
Willem Toorop 411c5cf571 Git rid of * if in libgetdns.symbols 2019-01-07 12:08:26 +01:00
Willem Toorop a4020a6841 mk-symfiles.sh improvent 
to filter out #defines as intended.
Thanks Zero King
 2019-01-07 11:33:21 +01:00
Willem Toorop bbe7dff257 No TLS1.3 ciphers in cipher_list only when ... 
SSL_set_ciphersuites in OpenSSL API.
 2018-12-31 16:13:20 +01:00
Bruno Pagani 1962c03b79
context: remove TLS13 cipher from cipher_list 
TLS 1.3 ciphers have to be set in ciphersuites instead.
 2018-12-23 11:31:27 +00:00
Willem Toorop 309db67f8b RFE getdnsapi/stubby#121 log re-instantiating TLS ... 
... upstreams (because they reached tls_backoff_time) at log level 4 (WARNING)
 2018-12-21 16:30:46 +01:00
Willem Toorop 7c52883341 Remove truncated response from transport test 2018-12-21 12:44:51 +01:00
Willem Toorop 431f86f414 Make tests aware of NODATA == NO_NAME change 2018-12-21 12:10:19 +01:00
Willem Toorop 13e1e36ba3 RESPSTATUS_NO_NAME when no answers found 
(so for NODATA answers too)
 2018-12-21 11:28:00 +01:00
Willem Toorop ff1cdce6f8 s/explicitely/explicitly/g 
Thanks Andreas Schulze
 2018-12-20 15:06:01 +01:00
Jim Hague 65f4fbbc81 Make sure all connection deinits are only called if there is something to deinit. 2018-12-14 15:38:32 +00:00
Jim Hague c1bf12c8a2 Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version. 
Also fix deinit segfault.

./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384                  	0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                  	0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                   	0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                 0xcc, 0xa9 TLS1.2

$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
 2018-12-14 15:24:13 +00:00
Willem Toorop 232f655663 trust_anchor_backoff_time also when appdata dir is not writable 2018-12-14 13:42:43 +01:00
Willem Toorop 990372329c typo 2018-12-13 15:26:13 +01:00
Willem Toorop dc6bb0fa52 Something wrong with /etc/hosts? 2018-12-13 15:24:37 +01:00
Willem Toorop eecc18703a Issue found with static analysis 2018-12-13 15:24:27 +01:00
Willem Toorop 154f98e321 Update consts 2018-12-13 15:24:19 +01:00
Willem Toorop 93b7cb6a01 ZONEMD rr-type 2018-12-13 14:53:41 +01:00
Jim Hague a4590bafcb Implement reading CAs from file or dir. 
I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
 2018-12-13 13:33:54 +00:00
Willem Toorop 41f4940072 Log messages about trust anchor fetching and installing 2018-12-13 14:23:32 +01:00