[Bug 235571] [patch] dns/unbound: Fix DNS over TLS host validation w/OpenSSL 1.0.2

Thu Feb 7 10:56:51 UTC 2019

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235571

            Bug ID: 235571
           Summary: [patch] dns/unbound: Fix DNS over TLS host validation
                    w/OpenSSL 1.0.2
           Product: Ports & Packages
           Version: Latest
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: Individual Port(s)
          Assignee: ports-bugs at FreeBSD.org
          Reporter: garga at FreeBSD.org
                CC: jaap at NLnetLabs.nl
             Flags: maintainer-feedback?(jaap at NLnetLabs.nl)
                CC: jaap at NLnetLabs.nl

Created attachment 201810
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=201810&action=edit
unbound patch

The code change to support host validation on OpenSSL 1.0.2 was done in
outside_network.c but the checks in daemon/remote.c, iterator/iter_fwd.c, and
iterator/iter_hints.c were not fixed. As such, attempting to validate hosts
with Unbound 1.9.0 still fails with OpenSSL 1.0.2. Specifically, on FreeBSD
11.2 it does not function:

unbound: [45843:0] error: no name verification functionality in ssl library,
ignored name for 9.9.9.9 at 853#blah.example.com

The attached patch fixes the checks so it works as intended. I have tested the
patch on FreeBSD 11.2 and pfSense 2.4.5 snapshots and it works. The logs
indicate successes and failures of validation as expected when testing various
scenarios.

Obtained from: https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206#c5

https://github.com/pfsense/FreeBSD-ports/commit/af2c493a0dfa99e2afc6e3f9236aad10021d6b39

-- 
You are receiving this mail because:
You are the assignee for the bug.