Date: Thu, 07 Feb 2019 10:56:48 +0000 From: bugzilla-noreply@freebsd.org To: ports-bugs@FreeBSD.org Subject: [Bug 235571] [patch] dns/unbound: Fix DNS over TLS host validation w/OpenSSL 1.0.2 Message-ID: <bug-235571-7788@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D235571 Bug ID: 235571 Summary: [patch] dns/unbound: Fix DNS over TLS host validation w/OpenSSL 1.0.2 Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: ports-bugs@FreeBSD.org Reporter: garga@FreeBSD.org CC: jaap@NLnetLabs.nl Flags: maintainer-feedback?(jaap@NLnetLabs.nl) CC: jaap@NLnetLabs.nl Created attachment 201810 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D201810&action= =3Dedit unbound patch The code change to support host validation on OpenSSL 1.0.2 was done in outside_network.c but the checks in daemon/remote.c, iterator/iter_fwd.c, a= nd iterator/iter_hints.c were not fixed. As such, attempting to validate hosts with Unbound 1.9.0 still fails with OpenSSL 1.0.2. Specifically, on FreeBSD 11.2 it does not function: unbound: [45843:0] error: no name verification functionality in ssl library, ignored name for 9.9.9.9@853#blah.example.com The attached patch fixes the checks so it works as intended. I have tested = the patch on FreeBSD 11.2 and pfSense 2.4.5 snapshots and it works. The logs indicate successes and failures of validation as expected when testing vari= ous scenarios. Obtained from: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=3D4206#= c5 =20=20=20=20=20=20=20=20=20=20=20=20=20=20 https://github.com/pfsense/FreeBSD-ports/commit/af2c493a0dfa99e2afc6e3f9236= aad10021d6b39 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-235571-7788>