From: Otto <otto.moerbeek@open-xchange.com>
Date: Fri, 5 Feb 2021 10:01:37 +0000 (+0100)
Subject: Tweaks and man page updates
X-Git-Tag: dnsdist-1.6.0-alpha2~59^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=cc1f4ed8e32e14230f63dd51b9d990dd0406add5;p=thirdparty%2Fpdns.git

Tweaks and man page updates
---

diff --git a/docs/manpages/sdig.1.rst b/docs/manpages/sdig.1.rst
index 3fc868b96c..eeda8dc29e 100644
--- a/docs/manpages/sdig.1.rst
+++ b/docs/manpages/sdig.1.rst
@@ -39,6 +39,16 @@ showflags
     Show the NSEC3 flags in the response (they are hidden by default).
 tcp
     Use TCP instead of UDP to send the query.
+dot
+    use DoT instead of UDP to send a query. Implies tcp.
+insecure
+    when using DoT, do not validate the server certificate.
+subjectName *name*
+    when using DoT, verify the server certificate is issued for *name*.
+caStore *file*
+    when using Dot, read the trusted CA certificates from *file*. Default is to use the system provided CA store.
+tlsProvider *name*
+    when using DoT, use TLS provider *name*. Currently supported (if compiled in): `openssl` and `gnutls`. Default is `openssl` if available.
 xpf *XPFCODE* *XPFVERSION* *XPFPROTO* *XPFSRC* *XPFDST*
 	Send an *XPF* additional with these parameters.
 
diff --git a/pdns/libssl.cc b/pdns/libssl.cc
index deffcdbf49..af08817c1f 100644
--- a/pdns/libssl.cc
+++ b/pdns/libssl.cc
@@ -782,4 +782,19 @@ std::unique_ptr<FILE, int(*)(FILE*)> libssl_set_key_log_file(std::unique_ptr<SSL
 #endif /* HAVE_SSL_CTX_SET_KEYLOG_CALLBACK */
 }
 
+std::string libssl_get_error_string()
+{
+  BIO *mem = BIO_new(BIO_s_mem());
+  ERR_print_errors(mem);
+  char *p;
+  size_t len = BIO_get_mem_data(mem, &p);
+  std::string msg(p, len);
+  // replace newlines by /
+  if (msg.back() == '\n') {
+    msg.pop_back();
+  }
+  std::replace(msg.begin(), msg.end(), '\n', '/');
+  BIO_free(mem);
+  return msg;
+}
 #endif /* HAVE_LIBSSL */
diff --git a/pdns/libssl.hh b/pdns/libssl.hh
index bdca6eaa14..849b73c862 100644
--- a/pdns/libssl.hh
+++ b/pdns/libssl.hh
@@ -120,4 +120,7 @@ std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> libssl_init_server_context(const TLS
                                                                        std::map<int, std::string>& ocspResponses);
 
 std::unique_ptr<FILE, int(*)(FILE*)> libssl_set_key_log_file(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx, const std::string& logFile);
+
+std::string libssl_get_error_string();
+
 #endif /* HAVE_LIBSSL */
diff --git a/pdns/sdig.cc b/pdns/sdig.cc
index afaef8ee80..85f05e1943 100644
--- a/pdns/sdig.cc
+++ b/pdns/sdig.cc
@@ -39,7 +39,7 @@ static void usage()
   cerr << "sdig" << endl;
   cerr << "Syntax: sdig IP-ADDRESS-OR-DOH-URL PORT QNAME QTYPE "
           "[dnssec] [ednssubnet SUBNET/MASK] [hidesoadetails] [hidettl] [recurse] [showflags] "
-          "[tcp] [dot] [insecure] [subjectName name] [caStore file] [tlsProvider provider] "
+          "[tcp] [dot] [insecure] [subjectName name] [caStore file] [tlsProvider openssl|gnutls] "
           "[xpf XPFDATA] [class CLASSNUM] "
           "[proxy UDP(0)/TCP(1) SOURCE-IP-ADDRESS-AND-PORT DESTINATION-IP-ADDRESS-AND-PORT]"
        << endl;
diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index dd6429b77b..13aefa77c6 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -125,8 +125,11 @@ public:
       throw std::runtime_error("Syscall error while processing TLS connection: " + std::string(strerror(errno)));
     }
     else {
-      ERR_print_errors_fp(stderr);
-      throw std::runtime_error("Error while processing TLS connection: " + std::to_string(error));
+      if (g_verbose) {
+        throw std::runtime_error("Error while processing TLS connection: " + libssl_get_error_string());
+      } else {
+        throw std::runtime_error("Error while processing TLS connection: " + std::to_string(error));
+      }
     }
   }
 
@@ -383,7 +386,7 @@ class OpenSSLTLSIOCtx: public TLSCtx
 {
 public:
   /* server side context */
-  OpenSSLTLSIOCtx(TLSFrontend& fe): d_feContext(std::make_shared<OpenSSLFrontendContext>(fe.d_addr, fe.d_tlsConfig)), d_ticketKeys{0}, d_tlsCtx(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(nullptr, SSL_CTX_free))
+  OpenSSLTLSIOCtx(TLSFrontend& fe): d_feContext(std::make_shared<OpenSSLFrontendContext>(fe.d_addr, fe.d_tlsConfig)), d_tlsCtx(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(nullptr, SSL_CTX_free))
   {
     d_ticketsKeyRotationDelay = fe.d_tlsConfig.d_ticketsKeyRotationDelay;
 
@@ -418,7 +421,7 @@ public:
   }
 
   /* client side context */
-  OpenSSLTLSIOCtx(const TLSContextParameters& params): d_ticketKeys(0), d_tlsCtx(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(nullptr, SSL_CTX_free))
+  OpenSSLTLSIOCtx(const TLSContextParameters& params): d_tlsCtx(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(nullptr, SSL_CTX_free))
   {
     int sslOptions =
       SSL_OP_NO_SSLv2 |
@@ -430,13 +433,6 @@ public:
       SSL_OP_CIPHER_SERVER_PREFERENCE;
 
     registerOpenSSLUser();
-#if 0 // XXX
-    s_ticketsKeyIndex = SSL_CTX_get_ex_new_index(0, nullptr, nullptr, nullptr, nullptr);
-    
-    if (s_ticketsKeyIndex == -1) {
-      throw std::runtime_error("Error getting an index for tickets key");
-    }
-#endif
 
 #ifdef HAVE_TLS_CLIENT_METHOD
     d_tlsCtx = std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>(SSL_CTX_new(TLS_client_method()), SSL_CTX_free);
@@ -563,9 +559,7 @@ public:
 
 private:
   std::shared_ptr<OpenSSLFrontendContext> d_feContext;
-  OpenSSLTLSTicketKeysRing d_ticketKeys;
-  std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> d_tlsCtx;
-  static std::atomic<uint64_t> s_users;
+  std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> d_tlsCtx; // client context
 };
 
 #endif /* HAVE_LIBSSL */