diff --git a/doc/ChangeLog b/doc/ChangeLog index 2d07d66c3..632ec495c 100644 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -1,3 +1,6 @@ +3 January 2025: Willem + - Fix #414: XoT interoperability with BIND and Knot + 23 December 2024: Willem - Fix #415: Fix out of tree builds. Thanks Florian Obser (@fobser). diff --git a/doc/RELNOTES b/doc/RELNOTES index d433e5307..d74c09663 100644 --- a/doc/RELNOTES +++ b/doc/RELNOTES @@ -4,6 +4,7 @@ NSD RELEASE NOTES ================ BUG FIXES: - Fix #415: Fix out of tree builds. Thanks Florian Obser (@fobser). + - Fix #414: XoT interoperability with BIND and Knot 4.11.0 ================ diff --git a/server.c b/server.c index 16e7af2b8..a4f0580ff 100644 --- a/server.c +++ b/server.c @@ -1898,23 +1898,29 @@ server_send_soa_xfrd(struct nsd* nsd, int shortsoa) #ifdef HAVE_SSL static void -log_crypto_from_err(const char* str, unsigned long err) +log_crypto_from_err(int level, const char* str, unsigned long err) { /* error:[error code]:[library name]:[function name]:[reason string] */ char buf[128]; unsigned long e; ERR_error_string_n(err, buf, sizeof(buf)); - log_msg(LOG_ERR, "%s crypto %s", str, buf); + log_msg(level, "%s crypto %s", str, buf); while( (e=ERR_get_error()) ) { ERR_error_string_n(e, buf, sizeof(buf)); - log_msg(LOG_ERR, "and additionally crypto %s", buf); + log_msg(level, "and additionally crypto %s", buf); } } void log_crypto_err(const char* str) { - log_crypto_from_err(str, ERR_get_error()); + log_crypto_from_err(LOG_ERR, str, ERR_get_error()); +} + +void +log_crypto_warning(const char* str) +{ + log_crypto_from_err(LOG_WARNING, str, ERR_get_error()); } /** true if the ssl handshake error has to be squelched from the logs */ @@ -2079,6 +2085,20 @@ add_ocsp_data_cb(SSL *s, void* ATTR_UNUSED(arg)) } } +static int +server_alpn_cb(SSL* ATTR_UNUSED(s), + const unsigned char** out, unsigned char* outlen, + const unsigned char* in, unsigned int inlen, + void* ATTR_UNUSED(arg)) +{ + static const unsigned char alpns[] = { 3, 'd', 'o', 't' }; + unsigned char* tmp_out; + + SSL_select_next_proto(&tmp_out, outlen, alpns, sizeof(alpns), in, inlen); + *out = tmp_out; + return SSL_TLSEXT_ERR_OK; +} + SSL_CTX* server_tls_ctx_setup(char* key, char* pem, char* verifypem) { @@ -2128,6 +2148,13 @@ server_tls_ctx_setup(char* key, char* pem, char* verifypem) return 0; } #endif +#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) + /* disable client renegotiation */ + if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & + SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { + log_crypto_warning("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); + } +#endif #if defined(SHA256_DIGEST_LENGTH) && defined(SSL_TXT_CHACHA20) /* if we detect system-wide crypto policies, use those */ if (access( "/etc/crypto-policies/config", F_OK ) != 0 ) { @@ -2174,6 +2201,7 @@ server_tls_ctx_setup(char* key, char* pem, char* verifypem) SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(verifypem)); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); } + SSL_CTX_set_alpn_select_cb(ctx, server_alpn_cb, NULL); return ctx; } @@ -4802,7 +4830,7 @@ tls_handshake(struct tcp_handler_data* data, int fd, int writing) char a[64], s[256]; addr2str(&data->query->remote_addr, a, sizeof(a)); snprintf(s, sizeof(s), "TLS handshake failed from %s", a); - log_crypto_from_err(s, err); + log_crypto_from_err(LOG_ERR, s, err); } } cleanup_tcp_handler(data); diff --git a/tpkg/xot.tdir/example.com b/tpkg/xot.tdir/xot.example.com similarity index 100% rename from tpkg/xot.tdir/example.com rename to tpkg/xot.tdir/xot.example.com diff --git a/tpkg/xot.tdir/example.edu b/tpkg/xot.tdir/xot.example.edu similarity index 100% rename from tpkg/xot.tdir/example.edu rename to tpkg/xot.tdir/xot.example.edu diff --git a/tpkg/xot.tdir/example.net b/tpkg/xot.tdir/xot.example.net similarity index 100% rename from tpkg/xot.tdir/example.net rename to tpkg/xot.tdir/xot.example.net diff --git a/tpkg/xot.tdir/example.org b/tpkg/xot.tdir/xot.example.org similarity index 100% rename from tpkg/xot.tdir/example.org rename to tpkg/xot.tdir/xot.example.org diff --git a/tpkg/xot.tdir/nsd_control.key b/tpkg/xot.tdir/xot.nsd_control.key similarity index 100% rename from tpkg/xot.tdir/nsd_control.key rename to tpkg/xot.tdir/xot.nsd_control.key diff --git a/tpkg/xot.tdir/nsd_control.pem b/tpkg/xot.tdir/xot.nsd_control.pem similarity index 100% rename from tpkg/xot.tdir/nsd_control.pem rename to tpkg/xot.tdir/xot.nsd_control.pem diff --git a/tpkg/xot.tdir/nsd_server.key b/tpkg/xot.tdir/xot.nsd_server.key similarity index 100% rename from tpkg/xot.tdir/nsd_server.key rename to tpkg/xot.tdir/xot.nsd_server.key diff --git a/tpkg/xot.tdir/nsd_server.pem b/tpkg/xot.tdir/xot.nsd_server.pem similarity index 100% rename from tpkg/xot.tdir/nsd_server.pem rename to tpkg/xot.tdir/xot.nsd_server.pem diff --git a/tpkg/xot.tdir/xot.primary.conf.in b/tpkg/xot.tdir/xot.primary.conf.in index 4fec08ef5..cd591d24e 100644 --- a/tpkg/xot.tdir/xot.primary.conf.in +++ b/tpkg/xot.tdir/xot.primary.conf.in @@ -17,31 +17,31 @@ remote-control: control-enable: @TPKG_CONTROL_ENABLE@ control-interface: 127.0.0.1 control-port: @TPKG_PRI_PORT_CTL@ - server-key-file: "nsd_server.key" - server-cert-file: "nsd_server.pem" - control-key-file: "nsd_control.key" - control-cert-file: "nsd_control.pem" + server-key-file: "xot.nsd_server.key" + server-cert-file: "xot.nsd_server.pem" + control-key-file: "xot.nsd_control.key" + control-cert-file: "xot.nsd_control.pem" zone: name: example.org - zonefile: example.org + zonefile: xot.example.org notify: 127.0.0.1@@TPKG_SEC_PORT@ xot. provide-xfr: 0.0.0.0/0 xot. zone: name: example.net - zonefile: example.net + zonefile: xot.example.net notify: 127.0.0.1@@TPKG_SEC_PORT@ xot. provide-xfr: 0.0.0.0/0 xot. zone: name: example.com - zonefile: example.com + zonefile: xot.example.com notify: 127.0.0.1@@TPKG_SEC_PORT@ xot. provide-xfr: 0.0.0.0/0 xot. zone: name: example.edu - zonefile: example.edu + zonefile: xot.example.edu notify: 127.0.0.1@@TPKG_SEC_PORT@ xot. provide-xfr: 0.0.0.0/0 xot. diff --git a/tpkg/xot.tdir/xot.secondary.conf.in b/tpkg/xot.tdir/xot.secondary.conf.in index e2aee4522..0031e77f7 100644 --- a/tpkg/xot.tdir/xot.secondary.conf.in +++ b/tpkg/xot.tdir/xot.secondary.conf.in @@ -12,10 +12,10 @@ remote-control: control-enable: @TPKG_CONTROL_ENABLE@ control-interface: 127.0.0.1 control-port: @TPKG_SEC_PORT_CTL@ - server-key-file: "nsd_server.key" - server-cert-file: "nsd_server.pem" - control-key-file: "nsd_control.key" - control-cert-file: "nsd_control.pem" + server-key-file: "xot.nsd_server.key" + server-cert-file: "xot.nsd_server.pem" + control-key-file: "xot.nsd_control.key" + control-cert-file: "xot.nsd_control.pem" include: "xot.tsig" diff --git a/tpkg/xot.tdir/xot.tertiary.conf.in b/tpkg/xot.tdir/xot.tertiary.conf.in index 612215289..72aca9ea2 100644 --- a/tpkg/xot.tdir/xot.tertiary.conf.in +++ b/tpkg/xot.tdir/xot.tertiary.conf.in @@ -11,10 +11,10 @@ remote-control: control-enable: @TPKG_CONTROL_ENABLE@ control-interface: 127.0.0.1 control-port: @TPKG_TER_PORT_CTL@ - server-key-file: "nsd_server.key" - server-cert-file: "nsd_server.pem" - control-key-file: "nsd_control.key" - control-cert-file: "nsd_control.pem" + server-key-file: "xot.nsd_server.key" + server-cert-file: "xot.nsd_server.pem" + control-key-file: "xot.nsd_control.key" + control-cert-file: "xot.nsd_control.pem" include: "xot.tsig"