From 0a19b5cd621a4cda588f7bc80705a898548859ce Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 7 Jan 2022 20:37:46 +0000 Subject: [PATCH 1/3] Use uncompressed point conversion form for 'tls ephemeral' ECC keys GnuTLS, NSS, and possibly other TLS libraries currently fail to work with compressed point conversion form supported by OpenSSL. Use uncompressed point conversion form for better compatibility. --- lib/isc/tls.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/isc/tls.c b/lib/isc/tls.c index 2d24481882..cb8d41beb7 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -317,16 +317,16 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, goto ssl_error; } - /* We use a named curve and compressed point conversion form. */ + /* Use a named curve and uncompressed point conversion form. */ #if HAVE_EVP_PKEY_GET0_EC_KEY EC_KEY_set_asn1_flag(EVP_PKEY_get0_EC_KEY(pkey), OPENSSL_EC_NAMED_CURVE); EC_KEY_set_conv_form(EVP_PKEY_get0_EC_KEY(pkey), - POINT_CONVERSION_COMPRESSED); + POINT_CONVERSION_UNCOMPRESSED); #else EC_KEY_set_asn1_flag(pkey->pkey.ec, OPENSSL_EC_NAMED_CURVE); EC_KEY_set_conv_form(pkey->pkey.ec, - POINT_CONVERSION_COMPRESSED); + POINT_CONVERSION_UNCOMPRESSED); #endif /* HAVE_EVP_PKEY_GET0_EC_KEY */ #if defined(SSL_CTX_set_ecdh_auto) From 6f457c512145002c2bea920488af48457c239313 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Fri, 7 Jan 2022 20:32:18 +0000 Subject: [PATCH 2/3] Generate a random serial number for 'tls ephemeral' certificates Clients can cache the TLS certificates and refuse to accept another one with the same serial number from the same issuer. Generate a random serial number for the self-signed certificates instead of using a fixed value. --- lib/isc/tls.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/lib/isc/tls.c b/lib/isc/tls.c index cb8d41beb7..35b8a1277e 100644 --- a/lib/isc/tls.c +++ b/lib/isc/tls.c @@ -36,6 +36,7 @@ #include #include #include +#include #include #include #include @@ -389,7 +390,9 @@ isc_tlsctx_createserver(const char *keyfile, const char *certfile, if (cert == NULL) { goto ssl_error; } - ASN1_INTEGER_set(X509_get_serialNumber(cert), 1); + + ASN1_INTEGER_set(X509_get_serialNumber(cert), + (long)isc_random32()); #if OPENSSL_VERSION_NUMBER < 0x10101000L X509_gmtime_adj(X509_get_notBefore(cert), 0); From daf11421df0db6a324433089d68c887e5da7fabe Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Mon, 10 Jan 2022 12:42:09 +0000 Subject: [PATCH 3/3] Add a test to query DoT using gnutls-cli Add a test to check BIND's DoT (DNS-over-TLS) implementation using gnutls-cli to confirm that it is compatibe with the GnuTLS library. --- bin/tests/system/conf.sh.in | 3 +++ bin/tests/system/doth/clean.sh | 1 + bin/tests/system/doth/example-soa-answer.good | Bin 0 -> 89 bytes .../system/doth/example-soa-request.saved | Bin 0 -> 38 bytes bin/tests/system/doth/tests.sh | 24 ++++++++++++++++++ configure.ac | 7 +++++ 6 files changed, 35 insertions(+) create mode 100644 bin/tests/system/doth/example-soa-answer.good create mode 100644 bin/tests/system/doth/example-soa-request.saved diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index fc5d264f98..54c339b8f4 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -114,6 +114,9 @@ SHELL=@SHELL@ # CURL will be empty if no program was found by configure CURL=@CURL@ +# GNUTLS_CLI will be empty if no program was found by configure +GNUTLS_CLI=@GNUTLS_CLI@ + # NC will be empty if no program was found by configure NC=@NC@ diff --git a/bin/tests/system/doth/clean.sh b/bin/tests/system/doth/clean.sh index b0fcfdf23f..b0915f53aa 100644 --- a/bin/tests/system/doth/clean.sh +++ b/bin/tests/system/doth/clean.sh @@ -20,5 +20,6 @@ rm -f ./*/named.memstats rm -f ./*/named.run rm -f ./*/named.run.prev rm -f ./dig.out.* +rm -f ./example-soa-*.test* rm -f ./*/example*.db rm -rf ./headers.* diff --git a/bin/tests/system/doth/example-soa-answer.good b/bin/tests/system/doth/example-soa-answer.good new file mode 100644 index 0000000000000000000000000000000000000000..d462dc684dbe19c85d872fe6330760c2359094a3 GIT binary patch literal 89 zcmZPwUvs3Dfq@YSfh2osMPhD2PAUTf8w2A39uUdE7}&s|&YV|lbbyB|Bfq#LH?g=R gwdep(uxpS3P!B5@ORsNWVBiyAV9;c_02BZM09$|&p#T5? literal 0 HcmV?d00001 diff --git a/bin/tests/system/doth/example-soa-request.saved b/bin/tests/system/doth/example-soa-request.saved new file mode 100644 index 0000000000000000000000000000000000000000..d5225b25153f709796ae57f8e208fa70cc33434d GIT binary patch literal 38 lcmZQjS#yL@fq{_$1Q^**g!&>EEmAy3;=(U1+M@A literal 0 HcmV?d00001 diff --git a/bin/tests/system/doth/tests.sh b/bin/tests/system/doth/tests.sh index a07e9a5849..e9bcb89405 100644 --- a/bin/tests/system/doth/tests.sh +++ b/bin/tests/system/doth/tests.sh @@ -582,5 +582,29 @@ if [ -n "$testcurl" ]; then status=$((status + ret)) fi +# check whether we can use gnutls-cli for sending test queries. +if [ -x "${GNUTLS_CLI}" ] ; then + GNUTLS_CLI_CHECK="$(${GNUTLS_CLI} --logfile=/dev/null 2>&1 | grep -i 'illegal option')" + + if [ -n "$GNUTLS_CLI_CHECK" ]; then + echo_i "The available version of gnutls-cli does not support the required features" + else + testgnutls=1 + fi +fi + +if [ -n "${testgnutls}" ] ; then + n=$((n + 1)) + echo_i "checking sending a DoT query using gnutls-cli ($n)" + ret=0 + # use gnutls-cli to query for 'example/SOA', + # use a timeout with a second empty `cat` because EOF in `stdin` + # causes gnutls-cli to disconnect without waiting for the answer + ( cat example-soa-request.saved && timeout 10 cat ) | "${GNUTLS_CLI}" --no-ca-verification --no-ocsp --alpn=dot --logfile=/dev/null --port=${TLSPORT} 10.53.0.1 > example-soa-answer.test$n 2>&1 + diff example-soa-answer.good example-soa-answer.test$n > /dev/null 2>&1 || ret=1 + if [ $ret != 0 ]; then echo_i "failed"; fi + status=$((status + ret)) +fi + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/configure.ac b/configure.ac index b525a080d6..580095ef75 100644 --- a/configure.ac +++ b/configure.ac @@ -1259,6 +1259,13 @@ AC_CONFIG_FILES([doc/doxygen/doxygen-input-filter], AC_PATH_PROG(CURL, curl, curl) AC_SUBST(CURL) +# +# Look for gnutls-cli +# + +AC_PATH_PROG([GNUTLS_CLI], [gnutls-cli], []) +AC_SUBST(GNUTLS_CLI) + # # Look for nc #