- noted feature requests in doc/TODO.

- printout more detailed errors on ssl certificate loading failures. git-svn-id: file:///svn/unbound/trunk@1445 be551aaa-1e26-0410-a405-d3ace91eadb9
2025-12-20 23:00:56 -05:00 · 2009-02-03 09:55:35 +00:00 · 2009-02-03 09:55:35 +00:00 · d1e812a4af
commit d1e812a4af
parent 7ac31bc1d5
3 changed files with 34 additions and 5 deletions
--- a/daemon/remote.c
+++ b/daemon/remote.c
@ -170,10 +170,21 @@ daemon_remote_create(struct worker* worker)
 			s_key += strlen(cfg->chrootdir);
 	}
 	verbose(VERB_ALGO, "setup SSL certificates");
-	if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)
-		|| !SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)
-		|| !SSL_CTX_check_private_key(rc->ctx)) {
-		log_crypto_err("Error setting up SSL_CTX key and cert");
+	if (!SSL_CTX_use_certificate_file(rc->ctx,s_cert,SSL_FILETYPE_PEM)) {
+		log_err("Error for server-cert-file: %s", s_cert);
+		log_crypto_err("Error in SSL_CTX use_certificate_file");
+		daemon_remote_delete(rc);
+		return NULL;
+	}
+	if(!SSL_CTX_use_PrivateKey_file(rc->ctx,s_key,SSL_FILETYPE_PEM)) {
+		log_err("Error for server-key-file: %s", s_key);
+		log_crypto_err("Error in SSL_CTX use_PrivateKey_file");
+		daemon_remote_delete(rc);
+		return NULL;
+	}
+	if(!SSL_CTX_check_private_key(rc->ctx)) {
+		log_err("Error for server-key-file: %s", s_key);
+		log_crypto_err("Error in SSL_CTX check_private_key");
 		daemon_remote_delete(rc);
 		return NULL;
 	}
--- a/doc/Changelog
+++ b/doc/Changelog
@ -1,3 +1,7 @@
+3 February 2009: Wouter
+	- noted feature requests in doc/TODO.
+	- printout more detailed errors on ssl certificate loading failures.
+
 16 January 2009: Wouter
 	- more quiet about ipv6 network failures, i.e. when ipv6 is not
 	  available (network unreachable). Debug still printed on high
--- a/doc/TODO
+++ b/doc/TODO
@ -56,8 +56,22 @@ o on windows version, implement that OS ancillary data capabilities for
  interface-automatic. IPPKTINFO, IP6PKTINFO for WSARecvMsg, WSASendMsg.
 o local-zone directive with authority service, full authority server 
  is a non-goal.
+ 
 o configure option to force use of builtin ldns tarball.
-o include /etc/pki/dnssec-keys/production/*.conf with wildcard support.
 o make so revoke bit keys cannot verify signatures
 o option to print UTC timestamps instead of epoch in seconds.
 o print querier IP address on high loglevels.
+
+o infra and lame cache: easier size config (in Mb), show usage in graphs.
+o #226: unbound_control dump_requestlist
+o #227: unbound_control flush_stats
+o unbound_control get_stats_noreset
+o unbound_control forward [addr {addr}] | [off]
+o #231: unbound_checkconf options to output config file data.
+o config entry to denote that a zone is to be treated as unsigned (even if 
+  a DS exists to higher trust anchor).
+o see if we can use daemon(3), cleaner posix usage.
+o see if we can include the python bindings (contrib).
+o see if we can suport var:value (nospace) by parser.
+o remote control read ssl information while priviledged.
+o call initgroups(3) to drop secondary group permissions.