From: Charles-Henri Bruyand Date: Wed, 1 Jun 2022 15:47:49 +0000 (+0200) Subject: dnsdist: skip DoT/DoH frontend when a tls configuration error occurs X-Git-Tag: dnsdist-1.8.0-rc1~277^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dcbd10c6139fdeadd68989a3491c8d08df7754df;p=thirdparty%2Fpdns.git dnsdist: skip DoT/DoH frontend when a tls configuration error occurs --- diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index dd8ac67712..e5c09ae13c 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -2501,6 +2501,19 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) } parseTLSConfig(frontend->d_tlsConfig, "addDOHLocal", vars); + if (vars->count("ignoreTLSConfigurationErrors")) { + if (boost::get((*vars)["ignoreTLSConfigurationErrors"])) { + // we are asked to try to load the certificates so we can return a potential error + // and properly ignore the frontend before actually launching it + try { + std::map ocspResponses = {}; + auto ctx = libssl_init_server_context(frontend->d_tlsConfig, ocspResponses); + } catch (const std::runtime_error& e) { + errlog("Ignoring DoH frontend: '%s'", e.what()); + return ; + } + } + } } g_dohlocals.push_back(frontend); auto cs = std::make_unique(frontend->d_local, true, reusePort, tcpFastOpenQueueSize, interface, cpus); @@ -2703,6 +2716,19 @@ static void setupLuaConfig(LuaContext& luaCtx, bool client, bool configCheck) } parseTLSConfig(frontend->d_tlsConfig, "addTLSLocal", vars); + if (vars->count("ignoreTLSConfigurationErrors")) { + if (boost::get((*vars)["ignoreTLSConfigurationErrors"])) { + // we are asked to try to load the certificates so we can return a potential error + // and properly ignore the frontend before actually launching it + try { + std::map ocspResponses = {}; + auto ctx = libssl_init_server_context(frontend->d_tlsConfig, ocspResponses); + } catch (const std::runtime_error& e) { + errlog("Ignoring TLS frontend: '%s'", e.what()); + return ; + } + } + } } try { diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 88b0ba448c..04974086e3 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -120,7 +120,7 @@ Listen Sockets .. versionchanged:: 1.8.0 ``certFile`` now accepts a TLSCertificate object or a list of such objects (see :func:`newTLSCertificate`) - ``additionalAddresses`` and ``keepIncomingHeaders`` options added. + ``additionalAddresses``, ``ignoreTLSConfigurationErrors`` and ``keepIncomingHeaders`` options added. Listen on the specified address and TCP port for incoming DNS over HTTPS connections, presenting the specified X.509 certificate. If no certificate (or key) files are specified, listen for incoming DNS over HTTP connections instead. @@ -163,6 +163,7 @@ Listen Sockets * ``enableRenegotiation=false``: bool - Whether secure TLS renegotiation should be enabled. Disabled by default since it increases the attack surface and is seldom used for DNS. * ``keepIncomingHeaders``: bool - Whether to retain the incoming headers in memory, to be able to use :func:`HTTPHeaderRule` or :meth:`DNSQuestion.getHTTPHeaders`. Default is false. Before 1.8.0 the headers were always kept in-memory. * ``additionalAddresses``: list - List of additional addresses (with port) to listen on. Using this option instead of creating a new frontend for each address avoids the creation of new thread and Frontend objects, reducing the memory usage. The drawback is that there will be a single set of metrics for all addresses. + * ``ignoreTLSConfigurationErrors=false``: bool - Ignore TLS configuration errors (such as invalid certificate path) and just issue a warning instead of aborting the whole process .. function:: addTLSLocal(address, certFile(s), keyFile(s) [, options]) @@ -176,7 +177,7 @@ Listen Sockets ``tlsAsyncMode`` option added. .. versionchanged:: 1.8.0 ``certFile`` now accepts a TLSCertificate object or a list of such objects (see :func:`newTLSCertificate`). - ``additionalAddresses`` option added. + ``additionalAddresses`` and ``ignoreTLSConfigurationErrors`` options added. Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate. @@ -212,6 +213,7 @@ Listen Sockets * ``enableRenegotiation=false``: bool - Whether secure TLS renegotiation should be enabled (OpenSSL only, the GnuTLS provider does not support it). Disabled by default since it increases the attack surface and is seldom used for DNS. * ``tlsAsyncMode=false``: bool - Whether to enable experimental asynchronous TLS I/O operations if OpenSSL is used as the TLS provider and an asynchronous capable SSL engine is loaded. See also :func:`loadTLSEngine` to load the engine. * ``additionalAddresses``: list - List of additional addresses (with port) to listen on. Using this option instead of creating a new frontend for each address avoids the creation of new thread and Frontend objects, reducing the memory usage. The drawback is that there will be a single set of metrics for all addresses. + * ``ignoreTLSConfigurationErrors=false``: bool - Ignore TLS configuration errors (such as invalid certificate path) and just issue a warning instead of aborting the whole process .. function:: setLocal(address[, options])