diff --git a/daemon/remote.c b/daemon/remote.c index 587d7965f..2b39eead0 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -170,10 +170,21 @@ daemon_remote_create(struct worker* worker) s_key += strlen(cfg->chrootdir); } verbose(VERB_ALGO, "setup SSL certificates"); - if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM) - || !SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM) - || !SSL_CTX_check_private_key(rc->ctx)) { - log_crypto_err("Error setting up SSL_CTX key and cert"); + if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) { + log_err("Error for server-cert-file: %s", s_cert); + log_crypto_err("Error in SSL_CTX use_certificate_file"); + daemon_remote_delete(rc); + return NULL; + } + if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) { + log_err("Error for server-key-file: %s", s_key); + log_crypto_err("Error in SSL_CTX use_PrivateKey_file"); + daemon_remote_delete(rc); + return NULL; + } + if(!SSL_CTX_check_private_key(rc->ctx)) { + log_err("Error for server-key-file: %s", s_key); + log_crypto_err("Error in SSL_CTX check_private_key"); daemon_remote_delete(rc); return NULL; } diff --git a/doc/Changelog b/doc/Changelog index cc1342136..ef1b65610 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +3 February 2009: Wouter + - noted feature requests in doc/TODO. + - printout more detailed errors on ssl certificate loading failures. + 16 January 2009: Wouter - more quiet about ipv6 network failures, i.e. when ipv6 is not available (network unreachable). Debug still printed on high diff --git a/doc/TODO b/doc/TODO index c2d9960d1..58bbe3eba 100644 --- a/doc/TODO +++ b/doc/TODO @@ -56,8 +56,22 @@ o on windows version, implement that OS ancillary data capabilities for interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg. o local-zone directive with authority service, full authority server is a non-goal. + o configure option to force use of builtin ldns tarball. -o include /etc/pki/dnssec-keys/production/*.conf with wildcard support. o make so revoke bit keys cannot verify signatures o option to print UTC timestamps instead of epoch in seconds. o print querier IP address on high loglevels. + +o infra and lame cache: easier size config (in Mb), show usage in graphs. +o #226: unbound_control dump_requestlist +o #227: unbound_control flush_stats +o unbound_control get_stats_noreset +o unbound_control forward [addr {addr}] | [off] +o #231: unbound_checkconf options to output config file data. +o config entry to denote that a zone is to be treated as unsigned (even if + a DS exists to higher trust anchor). +o see if we can use daemon(3), cleaner posix usage. +o see if we can include the python bindings (contrib). +o see if we can suport var:value (nospace) by parser. +o remote control read ssl information while priviledged. +o call initgroups(3) to drop secondary group permissions.