- Do not open unencrypted channels next to encrypted ones on the same

  port.

diff --git a/doc/Changelog b/doc/Changelog
index 40e739fe7fe1224d1f81ea4b9d460a390b2ed173..cc90f7cfa7bd9ad2eaeda72715df2610222deba5 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -2,6 +2,8 @@
        - Use the same interface listening port discovery code for all needed
          protocols.
        - Port to string only when needed before getaddrinfo().
+       - Do not open unencrypted channels next to encrypted ones on the same
+         port.
 
 21 January 2025: Wouter
        - Fix compile of interface check code when dnscrypt or quic is

diff --git a/services/listen_dnsport.c b/services/listen_dnsport.c
index 2a6c6301cb197ccf6b864ca66a7585353f1f64c4..26efadc151a1fd9cb5e01c1afda168b61b5feb89 100644 (file)
--- a/services/listen_dnsport.c
+++ b/services/listen_dnsport.c
@@ -1314,6 +1314,12 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
                }
        }
 
+       /* Check if both UDP and TCP ports should be open.
+        * In the case of encrypted channels, probably an unencrypted channel
+        * at the same port is not desired. */
+       if((is_ssl || is_https) && !is_doq) do_udp = do_auto = 0;
+       if((is_doq) && !(is_https || is_ssl)) do_tcp = 0;
+
        if(do_auto) {
                ub_sock = calloc(1, sizeof(struct unbound_socket));
                if(!ub_sock)