diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index fc5d264f98..54c339b8f4 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -114,6 +114,9 @@ SHELL=@SHELL@ # CURL will be empty if no program was found by configure CURL=@CURL@ +# GNUTLS_CLI will be empty if no program was found by configure +GNUTLS_CLI=@GNUTLS_CLI@ + # NC will be empty if no program was found by configure NC=@NC@ diff --git a/bin/tests/system/doth/clean.sh b/bin/tests/system/doth/clean.sh index b0fcfdf23f..b0915f53aa 100644 --- a/bin/tests/system/doth/clean.sh +++ b/bin/tests/system/doth/clean.sh @@ -20,5 +20,6 @@ rm -f ./*/named.memstats rm -f ./*/named.run rm -f ./*/named.run.prev rm -f ./dig.out.* +rm -f ./example-soa-*.test* rm -f ./*/example*.db rm -rf ./headers.* diff --git a/bin/tests/system/doth/example-soa-answer.good b/bin/tests/system/doth/example-soa-answer.good new file mode 100644 index 0000000000..d462dc684d Binary files /dev/null and b/bin/tests/system/doth/example-soa-answer.good differ diff --git a/bin/tests/system/doth/example-soa-request.saved b/bin/tests/system/doth/example-soa-request.saved new file mode 100644 index 0000000000..d5225b2515 Binary files /dev/null and b/bin/tests/system/doth/example-soa-request.saved differ diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index a07e9a5849..e9bcb89405 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -582,5 +582,29 @@ if [ -n "$testcurl" ]; then status=$((status + ret)) fi +# check whether we can use gnutls-cli for sending test queries. +if [ -x "${GNUTLS_CLI}" ] ; then + GNUTLS_CLI_CHECK="$(${GNUTLS_CLI} --logfile=/dev/null 2>&1 | grep -i 'illegal option')" + + if [ -n "$GNUTLS_CLI_CHECK" ]; then + echo_i "The available version of gnutls-cli does not support the required features" + else + testgnutls=1 + fi +fi + +if [ -n "${testgnutls}" ] ; then + n=$((n + 1)) + echo_i "checking sending a DoT query using gnutls-cli ($n)" + ret=0 + # use gnutls-cli to query for 'example/SOA', + # use a timeout with a second empty `cat` because EOF in `stdin` + # causes gnutls-cli to disconnect without waiting for the answer + ( cat example-soa-request.saved && timeout 10 cat ) | "${GNUTLS_CLI}" --no-ca-verification --no-ocsp --alpn=dot --logfile=/dev/null --port=${TLSPORT} 10.53.0.1 > example-soa-answer.test$n 2>&1 + diff example-soa-answer.good example-soa-answer.test$n > /dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/configure.ac b/configure.ac index b525a080d6..580095ef75 100644 --- a/configure.ac +++ b/configure.ac @@ -1259,6 +1259,13 @@ AC_CONFIG_FILES([doc/doxygen/doxygen-input-filter], AC_PATH_PROG(CURL, curl, curl) AC_SUBST(CURL) +# +# Look for gnutls-cli +# + +AC_PATH_PROG([GNUTLS_CLI], [gnutls-cli], []) +AC_SUBST(GNUTLS_CLI) + # # Look for nc # diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 2d24481882..35b8a1277e 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -317,16 +318,16 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, goto ssl_error; } - /* We use a named curve and compressed point conversion form. */ + /* Use a named curve and uncompressed point conversion form. */ #if HAVE_EVP_PKEY_GET0_EC_KEY EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey), OPENSSL_EC_NAMED_CURVE); EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey), - POINT_CONVERSION_COMPRESSED); + POINT_CONVERSION_UNCOMPRESSED); #else EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE); EC_KEY_set_conv_form(pkey->pkey.ec, - POINT_CONVERSION_COMPRESSED); + POINT_CONVERSION_UNCOMPRESSED); #endif /* HAVE_EVP_PKEY_GET0_EC_KEY */ #if defined(SSL_CTX_set_ecdh_auto) @@ -389,7 +390,9 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, if (cert == NULL) { goto ssl_error; } - ASN1_INTEGER_set(X509_get_serialNumber(cert), 1); + + ASN1_INTEGER_set(X509_get_serialNumber(cert), + (long)isc_random32()); #if OPENSSL_VERSION_NUMBER < 0x10101000L X509_gmtime_adj(X509_get_notBefore(cert), 0);