dnsdist: Warn that GnuTLS 3.7.x leaks memory when validating certs

In some configurations that we can't detect (PKCS11 support enabled,
with a default PKCS11 trust store), GnuTLS from 3.7.0 to at least
3.7.2 leaks memory when validating a server certificate. The issue
has been reported to GnuTLS and acknowledged, but there is no
available fix yet.

diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 6068c1bc84eaa273a4d1ac9888c675506f5319ab..b655eb0f6d89d219731be98454fd5c76f70cf6d4 100644 (file)
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -1539,6 +1539,9 @@ public:
 
     if (params.d_validateCertificates) {
       if (params.d_caStore.empty()) {
+#if GNUTLS_VERSION_NUMBER >= 0x030700
+        std::cerr<<"Warning: GnuTLS >= 3.7.0 has a known memory leak when validating server certificates in some configurations (PKCS11 support enabled, and a default PKCS11 trust store), please consider using the OpenSSL provider for outgoing connections instead, or explicitely setting a CA store"<<std::endl;
+#endif /* GNUTLS_VERSION_NUMBER >= 0x030700 */
         rc = gnutls_certificate_set_x509_system_trust(d_creds.get());
         if (rc < 0) {
           throw std::runtime_error("Error adding the system's default trusted CAs: " + std::string(gnutls_strerror(rc)));