From: Wouter Wijngaards <wouter@nlnetlabs.nl>
Date: Thu, 5 Apr 2018 13:43:05 +0000 (+0000)
Subject: - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
X-Git-Tag: release-1.7.1rc1~58
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c515215eea13db9ba04ad408f6bb36cbbf17963e;p=thirdparty%2Funbound.git

- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
  tls_choose_sigalg routine does not allow the ciphers for the pipe,
  so use TLSv1.2.


git-svn-id: file:///svn/unbound/trunk@4606 be551aaa-1e26-0410-a405-d3ace91eadb9
---

diff --git a/daemon/remote.c b/daemon/remote.c
index 3477340ff..58cdde1e2 100644
--- a/daemon/remote.c
+++ b/daemon/remote.c
@@ -236,10 +236,15 @@ daemon_remote_create(struct config_file* cfg)
 
 	if (cfg->remote_control_use_cert == 0) {
 		/* No certificates are requested */
+#if defined(SSL_OP_NO_TLSv1_3)
+		/* in openssl 1.1.1, negotiation code for tls 1.3 does
+		 * not allow the unauthenticated aNULL and eNULL ciphers */
+		SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_3);
+#endif
 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
 		SSL_CTX_set_security_level(rc->ctx, 0);
 #endif
-		if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL, eNULL")) {
+		if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL:eNULL")) {
 			log_crypto_err("Failed to set aNULL cipher list");
 			daemon_remote_delete(rc);
 			return NULL;
diff --git a/doc/Changelog b/doc/Changelog
index 8fd4428b6..3c3bfe613 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,9 @@
 	- Combine write of tcp length and tcp query for dns over tls.
 	- nitpick fixes in example.conf.
 	- Fix above stub queries for type NS and useless delegation point.
+	- Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
+	  tls_choose_sigalg routine does not allow the ciphers for the pipe,
+	  so use TLSv1.2.
 
 3 April 2018: Wouter
 	- Fix #4043: make test fails due to v6 presentation issue in macOS.
diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c
index 086afa8dd..fa1e3f6b9 100644
--- a/smallapp/unbound-control.c
+++ b/smallapp/unbound-control.c
@@ -476,10 +476,15 @@ setup_ctx(struct config_file* cfg)
 		free(c_cert);
 	} else {
 		/* Use ciphers that don't require authentication  */
+#if defined(SSL_OP_NO_TLSv1_3)
+		/* in openssl 1.1.1, negotiation code for tls 1.3 does
+		 * not allow the unauthenticated aNULL and eNULL ciphers */
+		SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
+#endif
 #ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
 		SSL_CTX_set_security_level(ctx, 0);
 #endif
-		if(!SSL_CTX_set_cipher_list(ctx, "aNULL, eNULL"))
+		if(!SSL_CTX_set_cipher_list(ctx, "aNULL:eNULL"))
 			ssl_err("Error setting NULL cipher!");
 	}
 	return ctx;