Jim Hague
ee6bc7d978
Remove development test erroneously checked in.
2019-01-15 12:39:02 +00:00
Jim Hague
6553aa3aad
The new minimum OpenSSL version means that Travis must switch to Xenial.
2019-01-15 12:11:13 +00:00
Jim Hague
8609a35e5b
GnuTLS: Add support for TLS 1.3.
2019-01-15 11:31:22 +00:00
Jim Hague
ccd6c3592d
GnuTLS: Can't set priority for SSL3.
2019-01-15 11:30:56 +00:00
Jim Hague
24774fefd6
Remove 'upstream' association with connection, now unused.
2019-01-15 11:01:58 +00:00
Jim Hague
9e4add2219
Merge branch 'develop' into feature/abstract-tls
2019-01-14 19:15:53 +00:00
Jim Hague
3fe0c94357
Merge branch 'develop' into feature/abstract-tls
2019-01-14 19:09:20 +00:00
Willem Toorop
66f63b21bc
Stubby with dns.google in stubby.yml.example
2019-01-11 14:52:40 +01:00
Willem Toorop
78d6bc30f5
Update stubby to 0.2.5
2019-01-11 13:04:07 +01:00
Jim Hague
51cb570809
Re-add support for OpenSSL prior to 1.1, but now require at least 1.0.2 and drop LibreSSL support.
2019-01-11 11:16:48 +00:00
Willem Toorop
35077bdc6d
Update ChangeLog & bumb version
2019-01-11 12:08:38 +01:00
Willem Toorop
411c5cf571
Git rid of * if in libgetdns.symbols
2019-01-07 12:08:26 +01:00
Willem Toorop
a4020a6841
mk-symfiles.sh improvent
...
to filter out #defines as intended.
Thanks Zero King
2019-01-07 11:33:21 +01:00
Willem Toorop
014ac3d368
Stubby with trust_anchors_backoff_time example config
2019-01-03 11:19:13 +01:00
Willem Toorop
426b6f67dd
Merge branch 'devel/no-tls1.3-in-cipher_list' into develop
2018-12-31 16:14:26 +01:00
Willem Toorop
bbe7dff257
No TLS1.3 ciphers in cipher_list only when ...
...
SSL_set_ciphersuites in OpenSSL API.
2018-12-31 16:13:20 +01:00
Willem Toorop
c69a2f7806
Merge branch 'ArchangeGabriel-patch-1' into devel/no-tls1.3-in-cipher_list
2018-12-31 16:09:55 +01:00
Bruno Pagani
1962c03b79
context: remove TLS13 cipher from cipher_list
...
TLS 1.3 ciphers have to be set in ciphersuites instead.
2018-12-23 11:31:27 +00:00
Willem Toorop
6f4d25e096
Merge branch 'release/1.5.0' into develop
2018-12-21 17:22:01 +01:00
Willem Toorop
309db67f8b
RFE getdnsapi/stubby#121 log re-instantiating TLS ...
...
... upstreams (because they reached tls_backoff_time) at log level 4 (WARNING)
2018-12-21 16:30:46 +01:00
Willem Toorop
345ed9a734
Final stubby update
2018-12-21 15:52:46 +01:00
Willem Toorop
4be406ce1f
Bump version
2018-12-21 15:40:13 +01:00
Willem Toorop
7c52883341
Remove truncated response from transport test
2018-12-21 12:44:51 +01:00
Willem Toorop
431f86f414
Make tests aware of NODATA == NO_NAME change
2018-12-21 12:10:19 +01:00
Willem Toorop
5247fc8de4
Mention RESPSTATUS_NO_NAME change in Changelog
2018-12-21 11:44:04 +01:00
Willem Toorop
13e1e36ba3
RESPSTATUS_NO_NAME when no answers found
...
(so for NODATA answers too)
2018-12-21 11:28:00 +01:00
Willem Toorop
ff1cdce6f8
s/explicitely/explicitly/g
...
Thanks Andreas Schulze
2018-12-20 15:06:01 +01:00
Jim Hague
65f4fbbc81
Make sure all connection deinits are only called if there is something to deinit.
2018-12-14 15:38:32 +00:00
Jim Hague
c1bf12c8a2
Update default GnuTLS cipher suite priority string to one that gives the same ciphers as the OpenSSL version.
...
Also fix deinit segfault.
./gnutls-ciphers "NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL"
Cipher suites for NONE:+AES-256-GCM:+AES-128-GCM:+CHACHA20-POLY1305:+ECDHE-RSA:+ECDHE-ECDSA:+SIGN-RSA-SHA384:+AEAD:+COMP-ALL:+VERS-TLS-ALL:+CURVE-ALL
TLS_ECDHE_RSA_AES_256_GCM_SHA384 0xc0, 0x30 TLS1.2
TLS_ECDHE_RSA_AES_128_GCM_SHA256 0xc0, 0x2f TLS1.2
TLS_ECDHE_RSA_CHACHA20_POLY1305 0xcc, 0xa8 TLS1.2
TLS_ECDHE_ECDSA_AES_256_GCM_SHA384 0xc0, 0x2 TLS1.2
TLS_ECDHE_ECDSA_AES_128_GCM_SHA256 0xc0, 0x2b TLS1.2
TLS_ECDHE_ECDSA_CHACHA20_POLY1305 0xcc, 0xa9 TLS1.2
$ openssl ciphers -v TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256:TLS13-CHACHA20-POLY1305-SHA256:EECDH+AESGCM:EECDH+CHACHA20
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=ChaCha20-Poly1305 Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=ChaCha20-Poly1305 Mac=AEAD
2018-12-14 15:24:13 +00:00
Willem Toorop
79459f5d1d
Merge branch 'release/1.5.0' into develop
2018-12-14 16:05:27 +01:00
Willem Toorop
36cb9b0243
We also always publish sha1 over tarballs
2018-12-14 13:45:22 +01:00
Willem Toorop
232f655663
trust_anchor_backoff_time also when appdata dir is not writable
2018-12-14 13:42:43 +01:00
Willem Toorop
e9060792dc
Merge branch 'release/1.5.0' into develop
2018-12-14 10:45:57 +01:00
Willem Toorop
990372329c
typo
2018-12-13 15:26:13 +01:00
Willem Toorop
dc6bb0fa52
Something wrong with /etc/hosts?
2018-12-13 15:24:37 +01:00
Willem Toorop
eecc18703a
Issue found with static analysis
2018-12-13 15:24:27 +01:00
Willem Toorop
154f98e321
Update consts
2018-12-13 15:24:19 +01:00
Willem Toorop
93b7cb6a01
ZONEMD rr-type
2018-12-13 14:53:41 +01:00
Jim Hague
a4590bafcb
Implement reading CAs from file or dir.
...
I found gnutls_certificate_set_x509_trust_(file|dir)(), so it's a lot
easier than I feared. Plus a little diggiing shows that if you're
loading the system defaults, GnuTLS on Windows does load them from the
Windows certificate store.
2018-12-13 13:33:54 +00:00
Willem Toorop
41f4940072
Log messages about trust anchor fetching and installing
2018-12-13 14:23:32 +01:00
Jim Hague
e8f34d48fb
Adjust default cipher list so required authentication works with getdnsapi.
...
The previous default cipher string wouldn't connect with getdnsapi.
Selection of cipher strings requires some deep study, I think.
So, taking working with getdnsapi.net as our target, discover that we
need SECURE128 as well as SECURE192. And rather than disable everything
except TLS1.2, disable TLS1.0 and TLS1.1. This should mean it connects
to TLS1.3.
2018-12-13 12:04:01 +00:00
Jim Hague
2759d727e5
Minor speeling fix.
2018-12-13 11:54:41 +00:00
Jim Hague
fa9d8885f0
Fix problems with GnuTLS pinset handling.
...
Pinset validation now seems to work.
2018-12-13 11:03:31 +00:00
Willem Toorop
91a3a3db36
More specific return codes, more logging
2018-12-12 16:12:07 +01:00
Jim Hague
45be26642b
Fix dane query handling and verify error reporting.
...
Verify error is flags, not values. And deiniting a dane_query that is
NULL segfaults.
2018-12-12 15:01:07 +00:00
Jim Hague
b51c7384e6
Implement _getdns_decode_base64() for GnuTLS.
...
Use primitives in libnettle.
2018-12-12 15:00:03 +00:00
Jim Hague
0dec4a6f21
Correct format string, fixing type error in specifier.
...
I was wondering why the error output did appear.
2018-12-12 14:59:13 +00:00
Jim Hague
35b4969216
Abstract out OpenSSL specific parts of getdns_pubkey_pin_create_from_string().
...
The only OpenSSL function is decoding Base64.
2018-12-11 18:03:00 +00:00
Jim Hague
bf011d9294
Add GnuTLS DANE library to configure detection when using GnuTLS.
2018-12-11 18:02:03 +00:00
Jim Hague
aa49a935c7
Fixed error detection in certificate verification.
2018-12-11 17:59:44 +00:00