Fix issue #676: Unencrypted query is sent when forward-tls-upstream: yes is

used without tls-cert-bundle

Model the behavior of unbound in unbound-host: always create a SSL context

diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index b9ef02217a2fd85a9448ea7893a4ce1b18a2c7b4..ebc1df2e521357c42b36e9e1e7ba3c795b250d99 100644 (file)
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -168,14 +168,12 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
                hints_delete(w->env->hints);
                w->env->hints = NULL;
        }
-       if(cfg->ssl_upstream || (cfg->tls_cert_bundle && cfg->tls_cert_bundle[0]) || cfg->tls_win_cert) {
-               w->sslctx = connect_sslctx_create(NULL, NULL,
-                       cfg->tls_cert_bundle, cfg->tls_win_cert);
-               if(!w->sslctx) {
-                       /* to make the setup fail after unlock */
-                       hints_delete(w->env->hints);
-                       w->env->hints = NULL;
-               }
+       w->sslctx = connect_sslctx_create(NULL, NULL,
+               cfg->tls_cert_bundle, cfg->tls_win_cert);
+       if(!w->sslctx) {
+               /* to make the setup fail after unlock */
+               hints_delete(w->env->hints);
+               w->env->hints = NULL;
        }
        if(!w->is_bg || w->is_bg_thread) {
                lock_basic_unlock(&ctx->cfglock);