Show the NSEC3 flags in the response (they are hidden by default).
tcp
Use TCP instead of UDP to send the query.
+dot
+ use DoT instead of UDP to send a query. Implies tcp.
+insecure
+ when using DoT, do not validate the server certificate.
+subjectName *name*
+ when using DoT, verify the server certificate is issued for *name*.
+caStore *file*
+ when using Dot, read the trusted CA certificates from *file*. Default is to use the system provided CA store.
+tlsProvider *name*
+ when using DoT, use TLS provider *name*. Currently supported (if compiled in): `openssl` and `gnutls`. Default is `openssl` if available.
xpf *XPFCODE* *XPFVERSION* *XPFPROTO* *XPFSRC* *XPFDST*
Send an *XPF* additional with these parameters.
#endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
}
+std::string libssl_get_error_string()
+{
+ BIO *mem = BIO_new(BIO_s_mem());
+ ERR_print_errors(mem);
+ char *p;
+ size_t len = BIO_get_mem_data(mem, &p);
+ std::string msg(p, len);
+ // replace newlines by /
+ if (msg.back() == '\n') {
+ msg.pop_back();
+ }
+ std::replace(msg.begin(), msg.end(), '\n', '/');
+ BIO_free(mem);
+ return msg;
+}
#endif /* HAVE_LIBSSL */
cerr << "sdig" << endl;
cerr << "Syntax: sdig IP-ADDRESS-OR-DOH-URL PORT QNAME QTYPE "
"[dnssec] [ednssubnet SUBNET/MASK] [hidesoadetails] [hidettl] [recurse] [showflags] "
- "[tcp] [dot] [insecure] [subjectName name] [caStore file] [tlsProvider provider] "
+ "[tcp] [dot] [insecure] [subjectName name] [caStore file] [tlsProvider openssl|gnutls] "
"[xpf XPFDATA] [class CLASSNUM] "
"[proxy UDP(0)/TCP(1) SOURCE-IP-ADDRESS-AND-PORT DESTINATION-IP-ADDRESS-AND-PORT]"
<< endl;
throw std::runtime_error("Syscall error while processing TLS connection: " + std::string(strerror(errno)));
}
else {
- ERR_print_errors_fp(stderr);
- throw std::runtime_error("Error while processing TLS connection: " + std::to_string(error));
+ if (g_verbose) {
+ throw std::runtime_error("Error while processing TLS connection: " + libssl_get_error_string());
+ } else {
+ throw std::runtime_error("Error while processing TLS connection: " + std::to_string(error));
+ }
}
}
{
public:
/* server side context */
- OpenSSLTLSIOCtx(TLSFrontend& fe): d_feContext(std::make_shared<OpenSSLFrontendContext>(fe.d_addr, fe.d_tlsConfig)), d_ticketKeys{0}, d_tlsCtx(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(nullptr, SSL_CTX_free))
+ OpenSSLTLSIOCtx(TLSFrontend& fe): d_feContext(std::make_shared<OpenSSLFrontendContext>(fe.d_addr, fe.d_tlsConfig)), d_tlsCtx(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(nullptr, SSL_CTX_free))
{
d_ticketsKeyRotationDelay = fe.d_tlsConfig.d_ticketsKeyRotationDelay;
}
/* client side context */
- OpenSSLTLSIOCtx(const TLSContextParameters& params): d_ticketKeys(0), d_tlsCtx(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(nullptr, SSL_CTX_free))
+ OpenSSLTLSIOCtx(const TLSContextParameters& params): d_tlsCtx(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(nullptr, SSL_CTX_free))
{
int sslOptions =
SSL_OP_NO_SSLv2 |
SSL_OP_CIPHER_SERVER_PREFERENCE;
registerOpenSSLUser();
-#if 0 // XXX
- s_ticketsKeyIndex = SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
-
- if (s_ticketsKeyIndex == -1) {
- throw std::runtime_error("Error getting an index for tickets key");
- }
-#endif
#ifdef HAVE_TLS_CLIENT_METHOD
d_tlsCtx = std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(SSL_CTX_new(TLS_client_method()), SSL_CTX_free);
private:
std::shared_ptr<OpenSSLFrontendContext> d_feContext;
- OpenSSLTLSTicketKeysRing d_ticketKeys;
- std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> d_tlsCtx;
- static std::atomic<uint64_t> s_users;
+ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> d_tlsCtx; // client context
};
#endif /* HAVE_LIBSSL */
projects / thirdparty / pdns.git / commitdiff
