From: Philip Homburg <philip@nlnetlabs.nl>
Date: Fri, 24 Mar 2023 13:51:37 +0000 (+0100)
Subject: Fix issue #676: Unencrypted query is sent when forward-tls-upstream: yes is
X-Git-Tag: release-1.19.0rc1~38^2~15
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7e6a7f310de20fe00cfcb3a40086c5a3bbbf7e0f;p=thirdparty%2Funbound.git

Fix issue #676: Unencrypted query is sent when forward-tls-upstream: yes is
used without tls-cert-bundle

Model the behavior of unbound in unbound-host: always create a SSL context
---

diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index b9ef02217..ebc1df2e5 100644
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -168,14 +168,12 @@ libworker_setup(struct ub_ctx* ctx, int is_bg, struct ub_event_base* eb)
 		hints_delete(w->env->hints);
 		w->env->hints = NULL;
 	}
-	if(cfg->ssl_upstream || (cfg->tls_cert_bundle && cfg->tls_cert_bundle[0]) || cfg->tls_win_cert) {
-		w->sslctx = connect_sslctx_create(NULL, NULL,
-			cfg->tls_cert_bundle, cfg->tls_win_cert);
-		if(!w->sslctx) {
-			/* to make the setup fail after unlock */
-			hints_delete(w->env->hints);
-			w->env->hints = NULL;
-		}
+	w->sslctx = connect_sslctx_create(NULL, NULL,
+		cfg->tls_cert_bundle, cfg->tls_win_cert);
+	if(!w->sslctx) {
+		/* to make the setup fail after unlock */
+		hints_delete(w->env->hints);
+		w->env->hints = NULL;
 	}
 	if(!w->is_bg || w->is_bg_thread) {
 		lock_basic_unlock(&ctx->cfglock);