rc->ctx = NULL;
return rc;
}
- if(options_remote_is_address(cfg)) {
+ if(options_remote_is_address(cfg) && cfg->control_use_cert) {
if(!remote_setup_ctx(rc, cfg)) {
daemon_remote_delete(rc);
return NULL;
struct config_strlist* p;
rc->ctx = NULL;
rc->use_cert = 0;
- for(p = cfg->control_ifs.first; p; p = p->next) {
+ if(!options_remote_is_address(cfg))
+ for(p = cfg->control_ifs.first; p; p = p->next) {
if(p->str && p->str[0] != '/')
log_warn("control-interface %s is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).", p->str);
}
uptime = (time_t)time(NULL) - (time_t)worker->daemon->time_boot.tv_sec;
if(!ssl_printf(ssl, "uptime: " ARG_LL "d seconds\n", (long long)uptime))
return;
- if(!ssl_printf(ssl, "options:%s%s\n" ,
+ if(!ssl_printf(ssl, "options:%s%s%s%s\n" ,
(worker->daemon->reuseport?" reuseport":""),
- (worker->daemon->rc->accept_list?(worker->daemon->rc->use_cert?" control(ssl)":" control(namedpipe)"):"")))
+ (worker->daemon->rc->accept_list?" control":""),
+ (worker->daemon->rc->accept_list && worker->daemon->rc->use_cert?"(ssl)":""),
+ (worker->daemon->rc->accept_list && worker->daemon->cfg->control_ifs.first && worker->daemon->cfg->control_ifs.first->str && worker->daemon->cfg->control_ifs.first->str[0] == '/'?"(namedpipe)":"")
+ ))
return;
if(!ssl_printf(ssl, "unbound (pid %d) is running...\n",
(int)getpid()))
+18 June 2018: Wouter
+ - Fix that control-use-cert: no works for 127.0.0.1 to disable certs.
+
15 June 2018: Wouter
- tag for 1.7.3rc1.
# port number for remote control operations.
# control-port: 8953
+ # for localhost, you can disable use of TLS by setting this to "no"
+ # For local sockets this option is ignored, and TLS is not used.
+ # control-use-cert: "yes"
+
# unbound server key file.
# server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key"
If you change this and permissions have been dropped, you must restart
the server for the change to take effect.
.TP 5
+.B control\-use\-cert: \fI<yes or no>
+For localhost control-interface you can disable the use of TLS by setting
+this option to "no", default is "yes". For local sockets, TLS is disabled
+and the value of this option is ignored.
+.TP 5
.B server\-key\-file: \fI<private key file>
Path to the server private key, by default unbound_server.key.
This file is generated by the \fIunbound\-control\-setup\fR utility.
char* s_cert=NULL, *c_key=NULL, *c_cert=NULL;
SSL_CTX* ctx;
- if(!options_remote_is_address(cfg))
+ if(!(options_remote_is_address(cfg) && cfg->control_use_cert))
return NULL;
s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1);
c_key = fname_after_chroot(cfg->control_key_file, cfg, 1);
cfg->control_ifs.first = NULL;
cfg->control_ifs.last = NULL;
cfg->control_port = UNBOUND_CONTROL_PORT;
+ cfg->control_use_cert = 1;
cfg->minimal_responses = 0;
cfg->rrset_roundrobin = 0;
cfg->max_udp_size = 4096;
int remote_control_enable;
/** the interfaces the remote control should listen on */
struct config_strlist_head control_ifs;
+ /** if the use-cert option is set */
+ int control_use_cert;
/** port number for the control port */
int control_port;
/** private key file for server */
#line 2295 "./util/configparser.y" /* yacc.c:1646 */
{
OUTYY(("P(control_use_cert:%s)\n", (yyvsp[0].str)));
- /* ignored */
+ cfg_parser->cfg->control_use_cert = (strcmp((yyvsp[0].str), "yes")==0);
free((yyvsp[0].str));
}
#line 5089 "util/configparser.c" /* yacc.c:1646 */
rc_control_use_cert: VAR_CONTROL_USE_CERT STRING_ARG
{
OUTYY(("P(control_use_cert:%s)\n", $2));
- /* ignored */
+ cfg_parser->cfg->control_use_cert = (strcmp($2, "yes")==0);
free($2);
}
;
projects / thirdparty / unbound.git / commitdiff
