From: Yorgos Thessalonikefs <yorgos@nlnetlabs.nl>
Date: Tue, 21 Jan 2025 14:25:53 +0000 (+0100)
Subject: - Do not open unencrypted channels next to encrypted ones on the same
X-Git-Tag: release-1.23.0rc1~59
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f822042cd027d380a5050a48c7ac1c5073dbaad5;p=thirdparty%2Funbound.git

- Do not open unencrypted channels next to encrypted ones on the same
  port.
---

diff --git a/doc/Changelog b/doc/Changelog
index 40e739fe7..cc90f7cfa 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,8 @@
 	- Use the same interface listening port discovery code for all needed
 	  protocols.
 	- Port to string only when needed before getaddrinfo().
+	- Do not open unencrypted channels next to encrypted ones on the same
+	  port.
 
 21 January 2025: Wouter
 	- Fix compile of interface check code when dnscrypt or quic is
diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index 2a6c6301c..26efadc15 100644
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -1314,6 +1314,12 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 		}
 	}
 
+	/* Check if both UDP and TCP ports should be open.
+	 * In the case of encrypted channels, probably an unencrypted channel
+	 * at the same port is not desired. */
+	if((is_ssl || is_https) && !is_doq) do_udp = do_auto = 0;
+	if((is_doq) && !(is_https || is_ssl)) do_tcp = 0;
+
 	if(do_auto) {
 		ub_sock = calloc(1, sizeof(struct unbound_socket));
 		if(!ub_sock)