dnsdist: Error if backend certificate validation is enabled without a subject name

author Remi Gacogne <remi.gacogne@powerdns.com>

Mon, 30 Jun 2025 13:57:10 +0000 (15:57 +0200)

committer Remi Gacogne <remi.gacogne@powerdns.com>

Wed, 2 Jul 2025 14:19:25 +0000 (16:19 +0200)
author Remi Gacogne <remi.gacogne@powerdns.com>
Mon, 30 Jun 2025 13:57:10 +0000 (15:57 +0200)
committer Remi Gacogne <remi.gacogne@powerdns.com>
Wed, 2 Jul 2025 14:19:25 +0000 (16:19 +0200)
diff --git a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc

index e2010a71ab5256439eef6c8589516f94520f771a..3b219a90fa441ae3f4d74083684c2b176b6e796c 100644 (file)
--- a/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
+++ b/pdns/dnsdistdist/dnsdist-configuration-yaml.cc
@@ -468,6 +468,9 @@ static std::shared_ptr<DownstreamState> createBackendFromConfiguration(const dns
          errlog("Error creating new server: downstream subject_address value must be a valid IP address");
        }
      }
+    if (backendConfig.d_tlsParams.d_validateCertificates && backendConfig.d_tlsSubjectName.empty()) {
+      throw std::runtime_error("Certificate validation has been requested for backend " + std::string(config.address) + " but neither 'subject_name' nor 'subject_address' are set");
+    }
    }
  
    if (protocol == "dot") {
diff --git a/pdns/dnsdistdist/dnsdist-lua.cc b/pdns/dnsdistdist/dnsdist-lua.cc

index 653bf78ec79715c6bbac6c036ab7fb72f66311ae..f678fc0ba82449e45dc0abc57d609aedacfd3f40 100644 (file)
--- a/pdns/dnsdistdist/dnsdist-lua.cc
+++ b/pdns/dnsdistdist/dnsdist-lua.cc
@@ -545,6 +545,10 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck)
                             }
  
                             tlsCtx = getTLSContext(config.d_tlsParams);
+
+                           if (config.d_tlsParams.d_validateCertificates && config.d_tlsSubjectName.empty()) {
+                             throw std::runtime_error("Certificate validation has been requested (see 'validateCertificates') for backend " + serverAddressStr + " but neither 'subjectName' nor 'subjectAddress' are set");
+                           }
                           }
  
                           try {
diff --git a/regression-tests.dnsdist/test_HealthChecks.py b/regression-tests.dnsdist/test_HealthChecks.py

index 1c1557f2146a56579b792aa4bea78c56fcc57761..819eb4dcd35d2ad673d996f84334899e500fa31c 100644 (file)
--- a/regression-tests.dnsdist/test_HealthChecks.py
+++ b/regression-tests.dnsdist/test_HealthChecks.py
@@ -247,10 +247,10 @@ class TestLazyHealthChecks(HealthCheckTest):
  
      newServer{address="127.0.0.1:%s", healthCheckMode='lazy', checkInterval=1, lazyHealthCheckFailedInterval=1, lazyHealthCheckThreshold=10, lazyHealthCheckSampleSize=100,  lazyHealthCheckMinSampleCount=10, lazyHealthCheckMode='TimeoutOrServFail', pool=''}
  
-    newServer{address="127.0.0.1:%s", tls='openssl', caStore='ca.pem', healthCheckMode='lazy', checkInterval=1, lazyHealthCheckFailedInterval=1, lazyHealthCheckThreshold=10, lazyHealthCheckSampleSize=100,  lazyHealthCheckMinSampleCount=10, lazyHealthCheckMode='TimeoutOrServFail', pool='dot'}
+    newServer{address="127.0.0.1:%s", tls='openssl', caStore='ca.pem', subjectAddr='127.0.0.1', healthCheckMode='lazy', checkInterval=1, lazyHealthCheckFailedInterval=1, lazyHealthCheckThreshold=10, lazyHealthCheckSampleSize=100,  lazyHealthCheckMinSampleCount=10, lazyHealthCheckMode='TimeoutOrServFail', pool='dot'}
      addAction('dot.lazy.test.powerdns.com.', PoolAction('dot'))
  
-    newServer{address="127.0.0.1:%s", tls='openssl', dohPath='/dns-query', caStore='ca.pem', healthCheckMode='lazy', checkInterval=1, lazyHealthCheckFailedInterval=1, lazyHealthCheckThreshold=10, lazyHealthCheckSampleSize=100,  lazyHealthCheckMinSampleCount=10, lazyHealthCheckMode='TimeoutOrServFail', pool='doh'}
+    newServer{address="127.0.0.1:%s", tls='openssl', dohPath='/dns-query', caStore='ca.pem', subjectAddr='127.0.0.1', healthCheckMode='lazy', checkInterval=1, lazyHealthCheckFailedInterval=1, lazyHealthCheckThreshold=10, lazyHealthCheckSampleSize=100,  lazyHealthCheckMinSampleCount=10, lazyHealthCheckMode='TimeoutOrServFail', pool='doh'}
      addAction('doh.lazy.test.powerdns.com.', PoolAction('doh'))
      """
      _verboseMode = True
author	Remi Gacogne <remi.gacogne@powerdns.com>
	Mon, 30 Jun 2025 13:57:10 +0000 (15:57 +0200)
committer	Remi Gacogne <remi.gacogne@powerdns.com>
	Wed, 2 Jul 2025 14:19:25 +0000 (16:19 +0200)
pdns/dnsdistdist/dnsdist-configuration-yaml.cc		patch \| blob \| blame \| history
pdns/dnsdistdist/dnsdist-lua.cc		patch \| blob \| blame \| history
regression-tests.dnsdist/test_HealthChecks.py		patch \| blob \| blame \| history