From f822042cd027d380a5050a48c7ac1c5073dbaad5 Mon Sep 17 00:00:00 2001 From: Yorgos Thessalonikefs Date: Tue, 21 Jan 2025 15:25:53 +0100 Subject: [PATCH] - Do not open unencrypted channels next to encrypted ones on the same port. --- doc/Changelog | 2 ++ services/listen_dnsport.c | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/doc/Changelog b/doc/Changelog index 40e739fe7..cc90f7cfa 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -2,6 +2,8 @@ - Use the same interface listening port discovery code for all needed protocols. - Port to string only when needed before getaddrinfo(). + - Do not open unencrypted channels next to encrypted ones on the same + port. 21 January 2025: Wouter - Fix compile of interface check code when dnscrypt or quic is diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c index 2a6c6301c..26efadc15 100644 --- a/services/listen_dnsport.c +++ b/services/listen_dnsport.c @@ -1314,6 +1314,12 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp, } } + /* Check if both UDP and TCP ports should be open. + * In the case of encrypted channels, probably an unencrypted channel + * at the same port is not desired. */ + if((is_ssl || is_https) && !is_doq) do_udp = do_auto = 0; + if((is_doq) && !(is_https || is_ssl)) do_tcp = 0; + if(do_auto) { ub_sock = calloc(1, sizeof(struct unbound_socket)); if(!ub_sock) -- 2.47.3