From 92bff79d3d8319bf091e45e9fc2e9f1e4e1f09f5 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Fri, 25 Nov 2016 16:14:14 +0000 Subject: [PATCH] - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by using no encryption over the unix socket. git-svn-id: file:///svn/unbound/trunk@3936 be551aaa-1e26-0410-a405-d3ace91eadb9 --- daemon/remote.c | 8 +++++++- doc/Changelog | 4 ++++ smallapp/unbound-control.c | 2 +- 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index 417c6a24a..bbd0cff20 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -146,6 +146,7 @@ timeval_divide(struct timeval* avg, const struct timeval* sum, size_t d) * the command : "openssl dhparam -C 2048" * (some openssl versions reject DH that is 'too small', eg. 512). */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 #ifndef S_SPLINT_S static DH *get_dh2048(void) { @@ -203,6 +204,7 @@ err: return NULL; } #endif /* SPLINT */ +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000 */ struct daemon_remote* daemon_remote_create(struct config_file* cfg) @@ -246,12 +248,15 @@ daemon_remote_create(struct config_file* cfg) #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL SSL_CTX_set_security_level(rc->ctx, 0); #endif - if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL")) { + if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL, eNULL")) { log_crypto_err("Failed to set aNULL cipher list"); daemon_remote_delete(rc); return NULL; } + /* in openssl 1.1, the securitylevel 0 allows eNULL, that + * does not need the DH */ +#if OPENSSL_VERSION_NUMBER < 0x10100000 /* Since we have no certificates and hence no source of * DH params, let's generate and set them */ @@ -260,6 +265,7 @@ daemon_remote_create(struct config_file* cfg) daemon_remote_delete(rc); return NULL; } +#endif return rc; } rc->use_cert = 1; diff --git a/doc/Changelog b/doc/Changelog index 7c90fb30c..f4c07b4c9 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +25 November 2016: Wouter + - Fix that with openssl 1.1 control-use-cert: no uses less cpu, by + using no encryption over the unix socket. + 22 Novenber 2016: Ralph - Make access-control-tag-data RDATA absolute. This makes the RDATA origin consistent between local-data and access-control-tag-data. diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 663497205..3734447cf 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -179,7 +179,7 @@ setup_ctx(struct config_file* cfg) #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL SSL_CTX_set_security_level(ctx, 0); #endif - if(!SSL_CTX_set_cipher_list(ctx, "aNULL")) + if(!SSL_CTX_set_cipher_list(ctx, "aNULL, eNULL")) ssl_err("Error setting NULL cipher!"); } return ctx;