From b06fed63789a5f383b93687a71735fe3cc898075 Mon Sep 17 00:00:00 2001 From: Wouter Wijngaards Date: Mon, 18 Jun 2018 09:46:01 +0000 Subject: [PATCH] - Fix that control-use-cert: no works for 127.0.0.1 to disable certs. git-svn-id: file:///svn/unbound/tags/release-1.7.3rc2@4740 be551aaa-1e26-0410-a405-d3ace91eadb9 --- daemon/remote.c | 12 ++++++++---- doc/Changelog | 3 +++ doc/example.conf.in | 4 ++++ doc/unbound.conf.5.in | 5 +++++ smallapp/unbound-control.c | 2 +- util/config_file.c | 1 + util/config_file.h | 2 ++ util/configparser.c | 2 +- util/configparser.y | 2 +- 9 files changed, 26 insertions(+), 7 deletions(-) diff --git a/daemon/remote.c b/daemon/remote.c index a4ac2fea0..dcf98afbc 100644 --- a/daemon/remote.c +++ b/daemon/remote.c @@ -208,7 +208,7 @@ daemon_remote_create(struct config_file* cfg) rc->ctx = NULL; return rc; } - if(options_remote_is_address(cfg)) { + if(options_remote_is_address(cfg) && cfg->control_use_cert) { if(!remote_setup_ctx(rc, cfg)) { daemon_remote_delete(rc); return NULL; @@ -218,7 +218,8 @@ daemon_remote_create(struct config_file* cfg) struct config_strlist* p; rc->ctx = NULL; rc->use_cert = 0; - for(p = cfg->control_ifs.first; p; p = p->next) { + if(!options_remote_is_address(cfg)) + for(p = cfg->control_ifs.first; p; p = p->next) { if(p->str && p->str[0] != '/') log_warn("control-interface %s is not using TLS, but plain transfer, because first control-interface in config file is a local socket (starts with a /).", p->str); } @@ -2207,9 +2208,12 @@ do_status(RES* ssl, struct worker* worker) uptime = (time_t)time(NULL) - (time_t)worker->daemon->time_boot.tv_sec; if(!ssl_printf(ssl, "uptime: " ARG_LL "d seconds\n", (long long)uptime)) return; - if(!ssl_printf(ssl, "options:%s%s\n" , + if(!ssl_printf(ssl, "options:%s%s%s%s\n" , (worker->daemon->reuseport?" reuseport":""), - (worker->daemon->rc->accept_list?(worker->daemon->rc->use_cert?" control(ssl)":" control(namedpipe)"):""))) + (worker->daemon->rc->accept_list?" control":""), + (worker->daemon->rc->accept_list && worker->daemon->rc->use_cert?"(ssl)":""), + (worker->daemon->rc->accept_list && worker->daemon->cfg->control_ifs.first && worker->daemon->cfg->control_ifs.first->str && worker->daemon->cfg->control_ifs.first->str[0] == '/'?"(namedpipe)":"") + )) return; if(!ssl_printf(ssl, "unbound (pid %d) is running...\n", (int)getpid())) diff --git a/doc/Changelog b/doc/Changelog index 36adb3b74..723b0cbc4 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,6 @@ +18 June 2018: Wouter + - Fix that control-use-cert: no works for 127.0.0.1 to disable certs. + 15 June 2018: Wouter - tag for 1.7.3rc1. diff --git a/doc/example.conf.in b/doc/example.conf.in index d82c8e28e..55a088951 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -784,6 +784,10 @@ remote-control: # port number for remote control operations. # control-port: 8953 + # for localhost, you can disable use of TLS by setting this to "no" + # For local sockets this option is ignored, and TLS is not used. + # control-use-cert: "yes" + # unbound server key file. # server-key-file: "@UNBOUND_RUN_DIR@/unbound_server.key" diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 48f40b7ca..c0ef1ab91 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -1384,6 +1384,11 @@ default is 8953. If you change this and permissions have been dropped, you must restart the server for the change to take effect. .TP 5 +.B control\-use\-cert: \fI +For localhost control-interface you can disable the use of TLS by setting +this option to "no", default is "yes". For local sockets, TLS is disabled +and the value of this option is ignored. +.TP 5 .B server\-key\-file: \fI Path to the server private key, by default unbound_server.key. This file is generated by the \fIunbound\-control\-setup\fR utility. diff --git a/smallapp/unbound-control.c b/smallapp/unbound-control.c index 3d97de5d3..8da4d4319 100644 --- a/smallapp/unbound-control.c +++ b/smallapp/unbound-control.c @@ -451,7 +451,7 @@ setup_ctx(struct config_file* cfg) char* s_cert=NULL, *c_key=NULL, *c_cert=NULL; SSL_CTX* ctx; - if(!options_remote_is_address(cfg)) + if(!(options_remote_is_address(cfg) && cfg->control_use_cert)) return NULL; s_cert = fname_after_chroot(cfg->server_cert_file, cfg, 1); c_key = fname_after_chroot(cfg->control_key_file, cfg, 1); diff --git a/util/config_file.c b/util/config_file.c index 0f5bb6217..b06176053 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -247,6 +247,7 @@ config_create(void) cfg->control_ifs.first = NULL; cfg->control_ifs.last = NULL; cfg->control_port = UNBOUND_CONTROL_PORT; + cfg->control_use_cert = 1; cfg->minimal_responses = 0; cfg->rrset_roundrobin = 0; cfg->max_udp_size = 4096; diff --git a/util/config_file.h b/util/config_file.h index 0cd0cdd73..4206eb9a2 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -383,6 +383,8 @@ struct config_file { int remote_control_enable; /** the interfaces the remote control should listen on */ struct config_strlist_head control_ifs; + /** if the use-cert option is set */ + int control_use_cert; /** port number for the control port */ int control_port; /** private key file for server */ diff --git a/util/configparser.c b/util/configparser.c index facddca10..7e4002cd8 100644 --- a/util/configparser.c +++ b/util/configparser.c @@ -5082,7 +5082,7 @@ yyreduce: #line 2295 "./util/configparser.y" /* yacc.c:1646 */ { OUTYY(("P(control_use_cert:%s)\n", (yyvsp[0].str))); - /* ignored */ + cfg_parser->cfg->control_use_cert = (strcmp((yyvsp[0].str), "yes")==0); free((yyvsp[0].str)); } #line 5089 "util/configparser.c" /* yacc.c:1646 */ diff --git a/util/configparser.y b/util/configparser.y index 7a5b06899..e34665ade 100644 --- a/util/configparser.y +++ b/util/configparser.y @@ -2294,7 +2294,7 @@ rc_control_interface: VAR_CONTROL_INTERFACE STRING_ARG rc_control_use_cert: VAR_CONTROL_USE_CERT STRING_ARG { OUTYY(("P(control_use_cert:%s)\n", $2)); - /* ignored */ + cfg_parser->cfg->control_use_cert = (strcmp($2, "yes")==0); free($2); } ; -- 2.47.3