- tls-cert-bundle option in unbound.conf enables TLS authentication.

git-svn-id: file:///svn/unbound/trunk@4532 be551aaa-1e26-0410-a405-d3ace91eadb9

config.h.in

@@ -425,6 +425,12 @@
 /* Define to 1 if you have the `SSL_CTX_set_security_level' function. */
 #undef HAVE_SSL_CTX_SET_SECURITY_LEVEL
 
+/* Define to 1 if you have the `SSL_get0_peername' function. */
+#undef HAVE_SSL_GET0_PEERNAME
+
+/* Define to 1 if you have the `SSL_set1_host' function. */
+#undef HAVE_SSL_SET1_HOST
+
 /* Define to 1 if you have the <stdarg.h> header file. */
 #undef HAVE_STDARG_H
 

configure

@@ -17659,7 +17659,7 @@ done
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level
+for ac_func in OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername
 do :
   as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
 ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"

configure.ac

@@ -719,7 +719,7 @@ AC_CHECK_FUNCS([OPENSSL_config EVP_sha1 EVP_sha256 EVP_sha512 FIPS_mode EVP_MD_C
 # these check_funcs need -lssl
 BAKLIBS="$LIBS"
 LIBS="-lssl $LIBS"
-AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level])
+AC_CHECK_FUNCS([OPENSSL_init_ssl SSL_CTX_set_security_level SSL_set1_host SSL_get0_peername])
 LIBS="$BAKLIBS"
 
 AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto], [], [], [

daemon/unbound.c

@@ -430,7 +430,8 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 			cfg->ssl_service_key, cfg->ssl_service_pem, NULL)))
 			fatal_exit("could not set up listen SSL_CTX");
 	}
-	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL, NULL)))
+	if(!(daemon->connect_sslctx = connect_sslctx_create(NULL, NULL,
+		cfg->tls_cert_bundle)))
 		fatal_exit("could not set up connect SSL_CTX");
 #endif
 

doc/Changelog

@@ -1,3 +1,6 @@
+13 February 2018: Wouter
+	- tls-cert-bundle option in unbound.conf enables TLS authentication.
+
 12 February 2018: Wouter
 	- Unit test for auth zone https url download.
 

doc/example.conf.in

@@ -670,6 +670,9 @@ server:
 	# Default is no.  Can be turned on and off with unbound-control.
 	# tls-upstream: no
 
+	# Certificates used to authenticate connections made upstream.
+	# tls-cert-bundle: ""
+
 	# DNS64 prefix. Must be specified when DNS64 is use.
 	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
 	# dns64-prefix: 64:ff9b::0/96

doc/unbound.conf.5.in

@@ -435,6 +435,15 @@ interfaces configured with that port number as @number get the SSL service.
 .B ssl\-port: \fI<number>
 Alternate syntax for \fBtls\-port\fR.
 .TP
+.B tls\-cert\-bundle: \fI<file>
+If null or "", no file is used.  Set it to the certificate bundle file,
+for example "/etc/pki/tls/certs/ca\-bundle.crt".  These certificates are used
+for authenticating connections made to outside peers.  For example auth\-zone
+urls, and also DNS over TLS connections.
+.TP
+.B ssl\-cert\-bundle: \fI<file>
+Alternate syntax for \fBtls\-cert\-bundle\fR.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.
@@ -1471,6 +1480,8 @@ the SOA refresh timer is used to wait for making new downloads.  If also
 masters are listed, the masters are first probed with UDP SOA queries to
 see if the SOA serial number has changed, reducing the number of downloads.
 If none of the urls work, the masters are tried with IXFR and AXFR.
+For https, the \fBtls\-cert\-bundle\fR and the hostname from the url are used
+to authenticate the connection.
 .TP
 .B fallback\-enabled: \fI<yes or no>
 Default no.  If enabled, unbound falls back to querying the internet as

libunbound/libworker.c

@@ -159,7 +159,8 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		w->env->hints = NULL;
 	}
 	if(cfg->ssl_upstream) {
-		w->sslctx = connect_sslctx_create(NULL, NULL, NULL);
+		w->sslctx = connect_sslctx_create(NULL, NULL,
+			cfg->tls_cert_bundle);
 		if(!w->sslctx) {
 			/* to make the setup fail after unlock */
 			hints_delete(w->env->hints);

services/outside_network.c

@@ -2316,6 +2316,26 @@ outnet_comm_point_for_http(struct outside_network* outnet,
 		comm_point_tcp_win_bio_cb(c, c->ssl);
 #endif
 		cp->ssl_shake_state = comm_ssl_shake_write;
+		/* https verification */
+#ifdef HAVE_SSL_SET1_HOST
+		if((SSL_CTX_get_verify_mode(outnet->sslctx)&SSL_VERIFY_PEER)) {
+			/* because we set SSL_VERIFY_PEER, in netevent in
+			 * ssl_handshake, it'll check if the certificate
+			 * verification has succeeded */
+			/* SSL_VERIFY_PEER is set on the sslctx */
+			/* and the certificates to verify with are loaded into
+			 * it with SSL_load_verify_locations or
+			 * SSL_CTX_set_default_verify_paths */
+			/* setting the hostname makes openssl verify the
+			 * host name in the x509 certificate in the
+			 * SSL connection*/
+		 	if(!SSL_set1_host(cp->ssl, host)) {
+				log_err("SSL_set1_host failed");
+				comm_point_delete(cp);
+				return NULL;
+			}
+		}
+#endif /* HAVE_SSL_SET1_HOST */
 	}
 
 	/* set timeout on TCP connection */

util/config_file.c

@@ -108,6 +108,7 @@ config_create(void)
 	cfg->ssl_service_pem = NULL;
 	cfg->ssl_port = 853;
 	cfg->ssl_upstream = 0;
+	cfg->tls_cert_bundle = NULL;
 	cfg->use_syslog = 1;
 	cfg->log_identity = NULL; /* changed later with argv[0] */
 	cfg->log_time_ascii = 0;
@@ -444,6 +445,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STR("ssl-service-key:", ssl_service_key)
 	else S_STR("ssl-service-pem:", ssl_service_pem)
 	else S_NUMBER_NONZERO("ssl-port:", ssl_port)
+	else S_STR("tls-cert-bundle:", tls_cert_bundle)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
@@ -853,6 +855,7 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_STR(opt, "ssl-service-key", ssl_service_key)
 	else O_STR(opt, "ssl-service-pem", ssl_service_pem)
 	else O_DEC(opt, "ssl-port", ssl_port)
+	else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
 	else O_YNO(opt, "use-systemd", use_systemd)
 	else O_YNO(opt, "do-daemonize", do_daemonize)
 	else O_STR(opt, "chroot", chrootdir)
@@ -1270,6 +1273,7 @@ config_delete(struct config_file* cfg)
 	free(cfg->target_fetch_policy);
 	free(cfg->ssl_service_key);
 	free(cfg->ssl_service_pem);
+	free(cfg->tls_cert_bundle);
 	free(cfg->log_identity);
 	config_del_strarray(cfg->ifs, cfg->num_ifs);
 	config_del_strarray(cfg->out_ifs, cfg->num_out_ifs);

util/config_file.h

@@ -100,6 +100,8 @@ struct config_file {
 	int ssl_port;
 	/** if outgoing tcp connections use SSL */
 	int ssl_upstream;
+	/** cert bundle for outgoing connections */
+	char* tls_cert_bundle;
 
 	/** outgoing port range number of ports (per thread) */
 	int outgoing_num_ports;

util/configlexer.lex

@@ -236,6 +236,8 @@ ssl-service-pem{COLON}		{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
 tls-service-pem{COLON}		{ YDVAR(1, VAR_SSL_SERVICE_PEM) }
 ssl-port{COLON}			{ YDVAR(1, VAR_SSL_PORT) }
 tls-port{COLON}			{ YDVAR(1, VAR_SSL_PORT) }
+ssl-cert-bundle{COLON}		{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
+tls-cert-bundle{COLON}		{ YDVAR(1, VAR_TLS_CERT_BUNDLE) }
 use-systemd{COLON}		{ YDVAR(1, VAR_USE_SYSTEMD) }
 do-daemonize{COLON}		{ YDVAR(1, VAR_DO_DAEMONIZE) }
 interface{COLON}		{ YDVAR(1, VAR_INTERFACE) }

util/configparser.h

@@ -177,104 +177,105 @@ extern int yydebug;
     VAR_FORWARD_FIRST = 387,
     VAR_STUB_SSL_UPSTREAM = 388,
     VAR_FORWARD_SSL_UPSTREAM = 389,
-    VAR_STUB_FIRST = 390,
-    VAR_MINIMAL_RESPONSES = 391,
-    VAR_RRSET_ROUNDROBIN = 392,
-    VAR_MAX_UDP_SIZE = 393,
-    VAR_DELAY_CLOSE = 394,
-    VAR_UNBLOCK_LAN_ZONES = 395,
-    VAR_INSECURE_LAN_ZONES = 396,
-    VAR_INFRA_CACHE_MIN_RTT = 397,
-    VAR_DNS64_PREFIX = 398,
-    VAR_DNS64_SYNTHALL = 399,
-    VAR_DNSTAP = 400,
-    VAR_DNSTAP_ENABLE = 401,
-    VAR_DNSTAP_SOCKET_PATH = 402,
-    VAR_DNSTAP_SEND_IDENTITY = 403,
-    VAR_DNSTAP_SEND_VERSION = 404,
-    VAR_DNSTAP_IDENTITY = 405,
-    VAR_DNSTAP_VERSION = 406,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 407,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 408,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 409,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 410,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 411,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 412,
-    VAR_RESPONSE_IP_TAG = 413,
-    VAR_RESPONSE_IP = 414,
-    VAR_RESPONSE_IP_DATA = 415,
-    VAR_HARDEN_ALGO_DOWNGRADE = 416,
-    VAR_IP_TRANSPARENT = 417,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 418,
-    VAR_IP_RATELIMIT = 419,
-    VAR_IP_RATELIMIT_SLABS = 420,
-    VAR_IP_RATELIMIT_SIZE = 421,
-    VAR_RATELIMIT = 422,
-    VAR_RATELIMIT_SLABS = 423,
-    VAR_RATELIMIT_SIZE = 424,
-    VAR_RATELIMIT_FOR_DOMAIN = 425,
-    VAR_RATELIMIT_BELOW_DOMAIN = 426,
-    VAR_IP_RATELIMIT_FACTOR = 427,
-    VAR_RATELIMIT_FACTOR = 428,
-    VAR_SEND_CLIENT_SUBNET = 429,
-    VAR_CLIENT_SUBNET_ZONE = 430,
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 431,
-    VAR_CLIENT_SUBNET_OPCODE = 432,
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 433,
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 434,
-    VAR_CAPS_WHITELIST = 435,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 436,
-    VAR_PERMIT_SMALL_HOLDDOWN = 437,
-    VAR_QNAME_MINIMISATION = 438,
-    VAR_QNAME_MINIMISATION_STRICT = 439,
-    VAR_IP_FREEBIND = 440,
-    VAR_DEFINE_TAG = 441,
-    VAR_LOCAL_ZONE_TAG = 442,
-    VAR_ACCESS_CONTROL_TAG = 443,
-    VAR_LOCAL_ZONE_OVERRIDE = 444,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 445,
-    VAR_ACCESS_CONTROL_TAG_DATA = 446,
-    VAR_VIEW = 447,
-    VAR_ACCESS_CONTROL_VIEW = 448,
-    VAR_VIEW_FIRST = 449,
-    VAR_SERVE_EXPIRED = 450,
-    VAR_FAKE_DSA = 451,
-    VAR_FAKE_SHA1 = 452,
-    VAR_LOG_IDENTITY = 453,
-    VAR_HIDE_TRUSTANCHOR = 454,
-    VAR_TRUST_ANCHOR_SIGNALING = 455,
-    VAR_AGGRESSIVE_NSEC = 456,
-    VAR_USE_SYSTEMD = 457,
-    VAR_SHM_ENABLE = 458,
-    VAR_SHM_KEY = 459,
-    VAR_DNSCRYPT = 460,
-    VAR_DNSCRYPT_ENABLE = 461,
-    VAR_DNSCRYPT_PORT = 462,
-    VAR_DNSCRYPT_PROVIDER = 463,
-    VAR_DNSCRYPT_SECRET_KEY = 464,
-    VAR_DNSCRYPT_PROVIDER_CERT = 465,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 466,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 467,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 468,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 469,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 470,
-    VAR_IPSECMOD_ENABLED = 471,
-    VAR_IPSECMOD_HOOK = 472,
-    VAR_IPSECMOD_IGNORE_BOGUS = 473,
-    VAR_IPSECMOD_MAX_TTL = 474,
-    VAR_IPSECMOD_WHITELIST = 475,
-    VAR_IPSECMOD_STRICT = 476,
-    VAR_CACHEDB = 477,
-    VAR_CACHEDB_BACKEND = 478,
-    VAR_CACHEDB_SECRETSEED = 479,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 480,
-    VAR_FOR_UPSTREAM = 481,
-    VAR_AUTH_ZONE = 482,
-    VAR_ZONEFILE = 483,
-    VAR_MASTER = 484,
-    VAR_URL = 485,
-    VAR_FOR_DOWNSTREAM = 486,
-    VAR_FALLBACK_ENABLED = 487
+    VAR_TLS_CERT_BUNDLE = 390,
+    VAR_STUB_FIRST = 391,
+    VAR_MINIMAL_RESPONSES = 392,
+    VAR_RRSET_ROUNDROBIN = 393,
+    VAR_MAX_UDP_SIZE = 394,
+    VAR_DELAY_CLOSE = 395,
+    VAR_UNBLOCK_LAN_ZONES = 396,
+    VAR_INSECURE_LAN_ZONES = 397,
+    VAR_INFRA_CACHE_MIN_RTT = 398,
+    VAR_DNS64_PREFIX = 399,
+    VAR_DNS64_SYNTHALL = 400,
+    VAR_DNSTAP = 401,
+    VAR_DNSTAP_ENABLE = 402,
+    VAR_DNSTAP_SOCKET_PATH = 403,
+    VAR_DNSTAP_SEND_IDENTITY = 404,
+    VAR_DNSTAP_SEND_VERSION = 405,
+    VAR_DNSTAP_IDENTITY = 406,
+    VAR_DNSTAP_VERSION = 407,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 408,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 409,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 410,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 411,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 412,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 413,
+    VAR_RESPONSE_IP_TAG = 414,
+    VAR_RESPONSE_IP = 415,
+    VAR_RESPONSE_IP_DATA = 416,
+    VAR_HARDEN_ALGO_DOWNGRADE = 417,
+    VAR_IP_TRANSPARENT = 418,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 419,
+    VAR_IP_RATELIMIT = 420,
+    VAR_IP_RATELIMIT_SLABS = 421,
+    VAR_IP_RATELIMIT_SIZE = 422,
+    VAR_RATELIMIT = 423,
+    VAR_RATELIMIT_SLABS = 424,
+    VAR_RATELIMIT_SIZE = 425,
+    VAR_RATELIMIT_FOR_DOMAIN = 426,
+    VAR_RATELIMIT_BELOW_DOMAIN = 427,
+    VAR_IP_RATELIMIT_FACTOR = 428,
+    VAR_RATELIMIT_FACTOR = 429,
+    VAR_SEND_CLIENT_SUBNET = 430,
+    VAR_CLIENT_SUBNET_ZONE = 431,
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 432,
+    VAR_CLIENT_SUBNET_OPCODE = 433,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 434,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 435,
+    VAR_CAPS_WHITELIST = 436,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 437,
+    VAR_PERMIT_SMALL_HOLDDOWN = 438,
+    VAR_QNAME_MINIMISATION = 439,
+    VAR_QNAME_MINIMISATION_STRICT = 440,
+    VAR_IP_FREEBIND = 441,
+    VAR_DEFINE_TAG = 442,
+    VAR_LOCAL_ZONE_TAG = 443,
+    VAR_ACCESS_CONTROL_TAG = 444,
+    VAR_LOCAL_ZONE_OVERRIDE = 445,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 446,
+    VAR_ACCESS_CONTROL_TAG_DATA = 447,
+    VAR_VIEW = 448,
+    VAR_ACCESS_CONTROL_VIEW = 449,
+    VAR_VIEW_FIRST = 450,
+    VAR_SERVE_EXPIRED = 451,
+    VAR_FAKE_DSA = 452,
+    VAR_FAKE_SHA1 = 453,
+    VAR_LOG_IDENTITY = 454,
+    VAR_HIDE_TRUSTANCHOR = 455,
+    VAR_TRUST_ANCHOR_SIGNALING = 456,
+    VAR_AGGRESSIVE_NSEC = 457,
+    VAR_USE_SYSTEMD = 458,
+    VAR_SHM_ENABLE = 459,
+    VAR_SHM_KEY = 460,
+    VAR_DNSCRYPT = 461,
+    VAR_DNSCRYPT_ENABLE = 462,
+    VAR_DNSCRYPT_PORT = 463,
+    VAR_DNSCRYPT_PROVIDER = 464,
+    VAR_DNSCRYPT_SECRET_KEY = 465,
+    VAR_DNSCRYPT_PROVIDER_CERT = 466,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 467,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 468,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 469,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 470,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 471,
+    VAR_IPSECMOD_ENABLED = 472,
+    VAR_IPSECMOD_HOOK = 473,
+    VAR_IPSECMOD_IGNORE_BOGUS = 474,
+    VAR_IPSECMOD_MAX_TTL = 475,
+    VAR_IPSECMOD_WHITELIST = 476,
+    VAR_IPSECMOD_STRICT = 477,
+    VAR_CACHEDB = 478,
+    VAR_CACHEDB_BACKEND = 479,
+    VAR_CACHEDB_SECRETSEED = 480,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 481,
+    VAR_FOR_UPSTREAM = 482,
+    VAR_AUTH_ZONE = 483,
+    VAR_ZONEFILE = 484,
+    VAR_MASTER = 485,
+    VAR_URL = 486,
+    VAR_FOR_DOWNSTREAM = 487,
+    VAR_FALLBACK_ENABLED = 488
   };
 #endif
 /* Tokens.  */
@@ -410,104 +411,105 @@ extern int yydebug;
 #define VAR_FORWARD_FIRST 387
 #define VAR_STUB_SSL_UPSTREAM 388
 #define VAR_FORWARD_SSL_UPSTREAM 389
-#define VAR_STUB_FIRST 390
-#define VAR_MINIMAL_RESPONSES 391
-#define VAR_RRSET_ROUNDROBIN 392
-#define VAR_MAX_UDP_SIZE 393
-#define VAR_DELAY_CLOSE 394
-#define VAR_UNBLOCK_LAN_ZONES 395
-#define VAR_INSECURE_LAN_ZONES 396
-#define VAR_INFRA_CACHE_MIN_RTT 397
-#define VAR_DNS64_PREFIX 398
-#define VAR_DNS64_SYNTHALL 399
-#define VAR_DNSTAP 400
-#define VAR_DNSTAP_ENABLE 401
-#define VAR_DNSTAP_SOCKET_PATH 402
-#define VAR_DNSTAP_SEND_IDENTITY 403
-#define VAR_DNSTAP_SEND_VERSION 404
-#define VAR_DNSTAP_IDENTITY 405
-#define VAR_DNSTAP_VERSION 406
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 407
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 408
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 409
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 410
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 411
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 412
-#define VAR_RESPONSE_IP_TAG 413
-#define VAR_RESPONSE_IP 414
-#define VAR_RESPONSE_IP_DATA 415
-#define VAR_HARDEN_ALGO_DOWNGRADE 416
-#define VAR_IP_TRANSPARENT 417
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 418
-#define VAR_IP_RATELIMIT 419
-#define VAR_IP_RATELIMIT_SLABS 420
-#define VAR_IP_RATELIMIT_SIZE 421
-#define VAR_RATELIMIT 422
-#define VAR_RATELIMIT_SLABS 423
-#define VAR_RATELIMIT_SIZE 424
-#define VAR_RATELIMIT_FOR_DOMAIN 425
-#define VAR_RATELIMIT_BELOW_DOMAIN 426
-#define VAR_IP_RATELIMIT_FACTOR 427
-#define VAR_RATELIMIT_FACTOR 428
-#define VAR_SEND_CLIENT_SUBNET 429
-#define VAR_CLIENT_SUBNET_ZONE 430
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 431
-#define VAR_CLIENT_SUBNET_OPCODE 432
-#define VAR_MAX_CLIENT_SUBNET_IPV4 433
-#define VAR_MAX_CLIENT_SUBNET_IPV6 434
-#define VAR_CAPS_WHITELIST 435
-#define VAR_CACHE_MAX_NEGATIVE_TTL 436
-#define VAR_PERMIT_SMALL_HOLDDOWN 437
-#define VAR_QNAME_MINIMISATION 438
-#define VAR_QNAME_MINIMISATION_STRICT 439
-#define VAR_IP_FREEBIND 440
-#define VAR_DEFINE_TAG 441
-#define VAR_LOCAL_ZONE_TAG 442
-#define VAR_ACCESS_CONTROL_TAG 443
-#define VAR_LOCAL_ZONE_OVERRIDE 444
-#define VAR_ACCESS_CONTROL_TAG_ACTION 445
-#define VAR_ACCESS_CONTROL_TAG_DATA 446
-#define VAR_VIEW 447
-#define VAR_ACCESS_CONTROL_VIEW 448
-#define VAR_VIEW_FIRST 449
-#define VAR_SERVE_EXPIRED 450
-#define VAR_FAKE_DSA 451
-#define VAR_FAKE_SHA1 452
-#define VAR_LOG_IDENTITY 453
-#define VAR_HIDE_TRUSTANCHOR 454
-#define VAR_TRUST_ANCHOR_SIGNALING 455
-#define VAR_AGGRESSIVE_NSEC 456
-#define VAR_USE_SYSTEMD 457
-#define VAR_SHM_ENABLE 458
-#define VAR_SHM_KEY 459
-#define VAR_DNSCRYPT 460
-#define VAR_DNSCRYPT_ENABLE 461
-#define VAR_DNSCRYPT_PORT 462
-#define VAR_DNSCRYPT_PROVIDER 463
-#define VAR_DNSCRYPT_SECRET_KEY 464
-#define VAR_DNSCRYPT_PROVIDER_CERT 465
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 466
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 467
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 468
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 469
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 470
-#define VAR_IPSECMOD_ENABLED 471
-#define VAR_IPSECMOD_HOOK 472
-#define VAR_IPSECMOD_IGNORE_BOGUS 473
-#define VAR_IPSECMOD_MAX_TTL 474
-#define VAR_IPSECMOD_WHITELIST 475
-#define VAR_IPSECMOD_STRICT 476
-#define VAR_CACHEDB 477
-#define VAR_CACHEDB_BACKEND 478
-#define VAR_CACHEDB_SECRETSEED 479
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 480
-#define VAR_FOR_UPSTREAM 481
-#define VAR_AUTH_ZONE 482
-#define VAR_ZONEFILE 483
-#define VAR_MASTER 484
-#define VAR_URL 485
-#define VAR_FOR_DOWNSTREAM 486
-#define VAR_FALLBACK_ENABLED 487
+#define VAR_TLS_CERT_BUNDLE 390
+#define VAR_STUB_FIRST 391
+#define VAR_MINIMAL_RESPONSES 392
+#define VAR_RRSET_ROUNDROBIN 393
+#define VAR_MAX_UDP_SIZE 394
+#define VAR_DELAY_CLOSE 395
+#define VAR_UNBLOCK_LAN_ZONES 396
+#define VAR_INSECURE_LAN_ZONES 397
+#define VAR_INFRA_CACHE_MIN_RTT 398
+#define VAR_DNS64_PREFIX 399
+#define VAR_DNS64_SYNTHALL 400
+#define VAR_DNSTAP 401
+#define VAR_DNSTAP_ENABLE 402
+#define VAR_DNSTAP_SOCKET_PATH 403
+#define VAR_DNSTAP_SEND_IDENTITY 404
+#define VAR_DNSTAP_SEND_VERSION 405
+#define VAR_DNSTAP_IDENTITY 406
+#define VAR_DNSTAP_VERSION 407
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 408
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 409
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 410
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 411
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 412
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 413
+#define VAR_RESPONSE_IP_TAG 414
+#define VAR_RESPONSE_IP 415
+#define VAR_RESPONSE_IP_DATA 416
+#define VAR_HARDEN_ALGO_DOWNGRADE 417
+#define VAR_IP_TRANSPARENT 418
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 419
+#define VAR_IP_RATELIMIT 420
+#define VAR_IP_RATELIMIT_SLABS 421
+#define VAR_IP_RATELIMIT_SIZE 422
+#define VAR_RATELIMIT 423
+#define VAR_RATELIMIT_SLABS 424
+#define VAR_RATELIMIT_SIZE 425
+#define VAR_RATELIMIT_FOR_DOMAIN 426
+#define VAR_RATELIMIT_BELOW_DOMAIN 427
+#define VAR_IP_RATELIMIT_FACTOR 428
+#define VAR_RATELIMIT_FACTOR 429
+#define VAR_SEND_CLIENT_SUBNET 430
+#define VAR_CLIENT_SUBNET_ZONE 431
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 432
+#define VAR_CLIENT_SUBNET_OPCODE 433
+#define VAR_MAX_CLIENT_SUBNET_IPV4 434
+#define VAR_MAX_CLIENT_SUBNET_IPV6 435
+#define VAR_CAPS_WHITELIST 436
+#define VAR_CACHE_MAX_NEGATIVE_TTL 437
+#define VAR_PERMIT_SMALL_HOLDDOWN 438
+#define VAR_QNAME_MINIMISATION 439
+#define VAR_QNAME_MINIMISATION_STRICT 440
+#define VAR_IP_FREEBIND 441
+#define VAR_DEFINE_TAG 442
+#define VAR_LOCAL_ZONE_TAG 443
+#define VAR_ACCESS_CONTROL_TAG 444
+#define VAR_LOCAL_ZONE_OVERRIDE 445
+#define VAR_ACCESS_CONTROL_TAG_ACTION 446
+#define VAR_ACCESS_CONTROL_TAG_DATA 447
+#define VAR_VIEW 448
+#define VAR_ACCESS_CONTROL_VIEW 449
+#define VAR_VIEW_FIRST 450
+#define VAR_SERVE_EXPIRED 451
+#define VAR_FAKE_DSA 452
+#define VAR_FAKE_SHA1 453
+#define VAR_LOG_IDENTITY 454
+#define VAR_HIDE_TRUSTANCHOR 455
+#define VAR_TRUST_ANCHOR_SIGNALING 456
+#define VAR_AGGRESSIVE_NSEC 457
+#define VAR_USE_SYSTEMD 458
+#define VAR_SHM_ENABLE 459
+#define VAR_SHM_KEY 460
+#define VAR_DNSCRYPT 461
+#define VAR_DNSCRYPT_ENABLE 462
+#define VAR_DNSCRYPT_PORT 463
+#define VAR_DNSCRYPT_PROVIDER 464
+#define VAR_DNSCRYPT_SECRET_KEY 465
+#define VAR_DNSCRYPT_PROVIDER_CERT 466
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 467
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 468
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 469
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 470
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 471
+#define VAR_IPSECMOD_ENABLED 472
+#define VAR_IPSECMOD_HOOK 473
+#define VAR_IPSECMOD_IGNORE_BOGUS 474
+#define VAR_IPSECMOD_MAX_TTL 475
+#define VAR_IPSECMOD_WHITELIST 476
+#define VAR_IPSECMOD_STRICT 477
+#define VAR_CACHEDB 478
+#define VAR_CACHEDB_BACKEND 479
+#define VAR_CACHEDB_SECRETSEED 480
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 481
+#define VAR_FOR_UPSTREAM 482
+#define VAR_AUTH_ZONE 483
+#define VAR_ZONEFILE 484
+#define VAR_MASTER 485
+#define VAR_URL 486
+#define VAR_FOR_DOWNSTREAM 487
+#define VAR_FALLBACK_ENABLED 488
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -518,7 +520,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 522 "util/configparser.h" /* yacc.c:1909  */
+#line 524 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -109,7 +109,7 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_LOG_REPLIES
 %token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
 %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
-%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM
+%token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
 %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
@@ -243,7 +243,8 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_ipsecmod_enabled | server_ipsecmod_hook |
 	server_ipsecmod_ignore_bogus | server_ipsecmod_max_ttl |
 	server_ipsecmod_whitelist | server_ipsecmod_strict |
-	server_udp_upstream_without_downstream | server_aggressive_nsec
+	server_udp_upstream_without_downstream | server_aggressive_nsec |
+	server_tls_cert_bundle
 	;
 stubstart: VAR_STUB_ZONE
 	{
@@ -674,6 +675,13 @@ server_ssl_port: VAR_SSL_PORT STRING_ARG
 		free($2);
 	}
 	;
+server_tls_cert_bundle: VAR_TLS_CERT_BUNDLE STRING_ARG
+	{
+		OUTYY(("P(server_tls_cert_bundle:%s)\n", $2));
+		free(cfg_parser->cfg->tls_cert_bundle);
+		cfg_parser->cfg->tls_cert_bundle = $2;
+	}
+	;
 server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
 	{
 		OUTYY(("P(server_use_systemd:%s)\n", $2));

util/netevent.c

@@ -964,6 +964,32 @@ tcp_callback_reader(struct comm_point* c)
 	}
 }
 
+#ifdef HAVE_SSL
+/** log certificate details */
+static void
+log_cert(unsigned level, const char* str, X509* cert)
+{
+	BIO* bio;
+	char nul = 0;
+	char* pp = NULL;
+	long len;
+	if(verbosity < level) return;
+	bio = BIO_new(BIO_s_mem());
+	if(!bio) return;
+	X509_print_ex(bio, cert, 0, (unsigned long)-1
+		^(X509_FLAG_NO_SUBJECT
+                        |X509_FLAG_NO_ISSUER|X509_FLAG_NO_VALIDITY
+			|X509_FLAG_NO_EXTENSIONS|X509_FLAG_NO_AUX
+			|X509_FLAG_NO_ATTRIBUTES));
+	BIO_write(bio, &nul, sizeof(nul));
+	len = BIO_get_mem_data(bio, &pp);
+	if(len != 0 && pp) {
+		verbose(level, "%s: \n%s", str, pp);
+	}
+	BIO_free(bio);
+}
+#endif /* HAVE_SSL */
+
 /** continue ssl handshake */
 #ifdef HAVE_SSL
 static int
@@ -1015,8 +1041,51 @@ ssl_handshake(struct comm_point* c)
 		}
 	}
 	/* this is where peer verification could take place */
-	log_addr(VERB_ALGO, "SSL DNS connection", &c->repinfo.addr,
+	if((SSL_get_verify_mode(c->ssl)&SSL_VERIFY_PEER)) {
+		/* verification */
+		if(SSL_get_verify_result(c->ssl) == X509_V_OK) {
+			X509* x = SSL_get_peer_certificate(c->ssl);
+			if(!x) {
+				log_addr(VERB_ALGO, "SSL connection failed: "
+					"no certificate",
+					&c->repinfo.addr, c->repinfo.addrlen);
+				return 0;
+			}
+			log_cert(VERB_ALGO, "peer certificate", x);
+#ifdef HAVE_SSL_GET0_PEERNAME
+			if(SSL_get0_peername(c->ssl)) {
+				char buf[255];
+				snprintf(buf, sizeof(buf), "SSL connection "
+					"to %s authenticated",
+					SSL_get0_peername(c->ssl));
+				log_addr(VERB_ALGO, buf, &c->repinfo.addr,
 					c->repinfo.addrlen);
+			} else {
+#endif
+				log_addr(VERB_ALGO, "SSL connection "
+					"authenticated", &c->repinfo.addr,
+					c->repinfo.addrlen);
+#ifdef HAVE_SSL_GET0_PEERNAME
+			}
+#endif
+			X509_free(x);
+		} else {
+			X509* x = SSL_get_peer_certificate(c->ssl);
+			if(x) {
+				log_cert(VERB_ALGO, "peer certificate", x);
+				X509_free(x);
+			}
+			log_addr(VERB_ALGO, "SSL connection failed: "
+				"failed to authenticate",
+				&c->repinfo.addr, c->repinfo.addrlen);
+			return 0;
+		}
+	} else {
+		/* unauthenticated, the verify peer flag was not set
+		 * in c->ssl when the ssl object was created from ssl_ctx */
+		log_addr(VERB_ALGO, "SSL connection", &c->repinfo.addr,
+			c->repinfo.addrlen);
+	}
 
 	/* setup listen rw correctly */
 	if(c->tcp_is_reading) {