1cccacf359
ssl_set1_host() is not available without openssl-1.1.0. Unbound can not do host cert verification. DNS over TLS connects, but hosts are unverified. A patch for log err is added with a noitce in README.md. (see: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658) Also, squash some minor robustness and TLS usability fixes. Signed-off-by: Eric Luehrsen <ericluehrsen@gmail.com>
48 lines
1.4 KiB
Diff
48 lines
1.4 KiB
Diff
Index: daemon/remote.c
|
|
===================================================================
|
|
--- a/daemon/remote.c
|
|
+++ b/daemon/remote.c
|
|
@@ -1950,6 +1950,11 @@
|
|
return NULL;
|
|
}
|
|
} else {
|
|
+#ifndef HAVE_SSL_SET1_HOST
|
|
+ if(auth_name)
|
|
+ log_err("no name verification functionality in "
|
|
+ "ssl library, ignored name for %s", todo);
|
|
+#endif
|
|
/* add address */
|
|
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
|
|
auth_name)) {
|
|
Index: iterator/iter_fwd.c
|
|
===================================================================
|
|
--- a/iterator/iter_fwd.c
|
|
+++ b/iterator/iter_fwd.c
|
|
@@ -239,6 +239,11 @@
|
|
s->name, p->str);
|
|
return 0;
|
|
}
|
|
+#ifndef HAVE_SSL_SET1_HOST
|
|
+ if(tls_auth_name)
|
|
+ log_err("no name verification functionality in "
|
|
+ "ssl library, ignored name for %s", p->str);
|
|
+#endif
|
|
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
|
|
tls_auth_name)) {
|
|
log_err("out of memory");
|
|
Index: iterator/iter_hints.c
|
|
===================================================================
|
|
--- a/iterator/iter_hints.c
|
|
+++ b/iterator/iter_hints.c
|
|
@@ -252,6 +252,11 @@
|
|
s->name, p->str);
|
|
return 0;
|
|
}
|
|
+#ifndef HAVE_SSL_SET1_HOST
|
|
+ if(auth_name)
|
|
+ log_err("no name verification functionality in "
|
|
+ "ssl library, ignored name for %s", p->str);
|
|
+#endif
|
|
if(!delegpt_add_addr_mlc(dp, &addr, addrlen, 0, 0,
|
|
auth_name)) {
|
|
log_err("out of memory");
|