Commit Graph

3115 Commits

Author SHA1 Message Date
Jim Hague 9024fd7736 Fix build with INTERCEPT_COM_DS defined.
Decide that layout of handling write results is more readable, and use with read too.
2019-01-15 15:34:33 +00:00
Jim Hague ee6bc7d978 Remove development test erroneously checked in. 2019-01-15 12:39:02 +00:00
Jim Hague 6553aa3aad The new minimum OpenSSL version means that Travis must switch to Xenial. 2019-01-15 12:11:13 +00:00
Jim Hague 8609a35e5b GnuTLS: Add support for TLS 1.3. 2019-01-15 11:31:22 +00:00
Jim Hague ccd6c3592d GnuTLS: Can't set priority for SSL3. 2019-01-15 11:30:56 +00:00
Jim Hague 24774fefd6 Remove 'upstream' association with connection, now unused. 2019-01-15 11:01:58 +00:00
Jim Hague 9e4add2219 Merge branch 'develop' into feature/abstract-tls 2019-01-14 19:15:53 +00:00
Jim Hague 3fe0c94357 Merge branch 'develop' into feature/abstract-tls 2019-01-14 19:09:20 +00:00
Willem Toorop 66f63b21bc Stubby with dns.google in stubby.yml.example 2019-01-11 14:52:40 +01:00
Willem Toorop 78d6bc30f5 Update stubby to 0.2.5 2019-01-11 13:04:07 +01:00
Jim Hague 51cb570809 Re-add support for OpenSSL prior to 1.1, but now require at least 1.0.2 and drop LibreSSL support. 2019-01-11 11:16:48 +00:00
Willem Toorop 35077bdc6d Update ChangeLog & bumb version 2019-01-11 12:08:38 +01:00
Willem Toorop 411c5cf571 Git rid of * if in libgetdns.symbols 2019-01-07 12:08:26 +01:00
Willem Toorop a4020a6841 mk-symfiles.sh improvent
to filter out #defines as intended.
Thanks Zero King
2019-01-07 11:33:21 +01:00
Willem Toorop 014ac3d368 Stubby with trust_anchors_backoff_time example config 2019-01-03 11:19:13 +01:00
Willem Toorop 426b6f67dd Merge branch 'devel/no-tls1.3-in-cipher_list' into develop 2018-12-31 16:14:26 +01:00
Willem Toorop bbe7dff257 No TLS1.3 ciphers in cipher_list only when ...
SSL_set_ciphersuites in OpenSSL API.
2018-12-31 16:13:20 +01:00
Willem Toorop c69a2f7806 Merge branch 'ArchangeGabriel-patch-1' into devel/no-tls1.3-in-cipher_list 2018-12-31 16:09:55 +01:00
Bruno Pagani 1962c03b79
context: remove TLS13 cipher from cipher_list
TLS 1.3 ciphers have to be set in ciphersuites instead.
2018-12-23 11:31:27 +00:00
Willem Toorop 6f4d25e096 Merge branch 'release/1.5.0' into develop 2018-12-21 17:22:01 +01:00
Willem Toorop 309db67f8b RFE getdnsapi/stubby#121 log re-instantiating TLS ...
... upstreams (because they reached tls_backoff_time) at log level 4 (WARNING)
2018-12-21 16:30:46 +01:00
Willem Toorop 345ed9a734 Final stubby update 2018-12-21 15:52:46 +01:00
Willem Toorop 4be406ce1f Bump version 2018-12-21 15:40:13 +01:00
Willem Toorop 7c52883341 Remove truncated response from transport test 2018-12-21 12:44:51 +01:00
Willem Toorop 431f86f414 Make tests aware of NODATA == NO_NAME change 2018-12-21 12:10:19 +01:00
Willem Toorop 5247fc8de4 Mention RESPSTATUS_NO_NAME change in Changelog 2018-12-21 11:44:04 +01:00
Willem Toorop 13e1e36ba3 RESPSTATUS_NO_NAME when no answers found
(so for NODATA answers too)
2018-12-21 11:28:00 +01:00
Willem Toorop ff1cdce6f8 s/explicitely/explicitly/g
Thanks Andreas Schulze
2018-12-20 15:06:01 +01:00
Jim Hague 65f4fbbc81 Make sure all connection deinits are only called if there is something to deinit. 2018-12-14 15:38:32 +00:00
Jim Hague c1bf12c8a2 Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version.
Also fix deinit segfault.

./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384                  	0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256                  	0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305                   	0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384                0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256                0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305                 0xcc, 0xa9 TLS1.2

$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20-Poly1305 Mac=AEAD
2018-12-14 15:24:13 +00:00
Willem Toorop 79459f5d1d Merge branch 'release/1.5.0' into develop 2018-12-14 16:05:27 +01:00
Willem Toorop 36cb9b0243 We also always publish sha1 over tarballs 2018-12-14 13:45:22 +01:00
Willem Toorop 232f655663 trust_anchor_backoff_time also when appdata dir is not writable 2018-12-14 13:42:43 +01:00
Willem Toorop e9060792dc Merge branch 'release/1.5.0' into develop 2018-12-14 10:45:57 +01:00
Willem Toorop 990372329c typo 2018-12-13 15:26:13 +01:00
Willem Toorop dc6bb0fa52 Something wrong with /etc/hosts? 2018-12-13 15:24:37 +01:00
Willem Toorop eecc18703a Issue found with static analysis 2018-12-13 15:24:27 +01:00
Willem Toorop 154f98e321 Update consts 2018-12-13 15:24:19 +01:00
Willem Toorop 93b7cb6a01 ZONEMD rr-type 2018-12-13 14:53:41 +01:00
Jim Hague a4590bafcb Implement reading CAs from file or dir.
I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
2018-12-13 13:33:54 +00:00
Willem Toorop 41f4940072 Log messages about trust anchor fetching and installing 2018-12-13 14:23:32 +01:00
Jim Hague e8f34d48fb Adjust default cipher list so required authentication works with getdnsapi.
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.

So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
2018-12-13 12:04:01 +00:00
Jim Hague 2759d727e5 Minor speeling fix. 2018-12-13 11:54:41 +00:00
Jim Hague fa9d8885f0 Fix problems with GnuTLS pinset handling.
Pinset validation now seems to work.
2018-12-13 11:03:31 +00:00
Willem Toorop 91a3a3db36 More specific return codes, more logging 2018-12-12 16:12:07 +01:00
Jim Hague 45be26642b Fix dane query handling and verify error reporting.
Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
2018-12-12 15:01:07 +00:00
Jim Hague b51c7384e6 Implement _getdns_decode_base64() for GnuTLS.
Use primitives in libnettle.
2018-12-12 15:00:03 +00:00
Jim Hague 0dec4a6f21 Correct format string, fixing type error in specifier.
I was wondering why the error output did appear.
2018-12-12 14:59:13 +00:00
Jim Hague 35b4969216 Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string().
The only OpenSSL function is decoding Base64.
2018-12-11 18:03:00 +00:00
Jim Hague bf011d9294 Add GnuTLS DANE library to configure detection when using GnuTLS. 2018-12-11 18:02:03 +00:00