From: Otto Moerbeek <otto.moerbeek@open-xchange.com>
Date: Wed, 1 Oct 2025 07:40:04 +0000 (+0200)
Subject: Add code to get certificate validation status (openssl only ATM)
X-Git-Tag: rec-5.4.0-alpha1~190^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d72636d6e96a1de4c225cd25b5bee02022850d6b;p=thirdparty%2Fpdns.git

Add code to get certificate validation status (openssl only ATM)

Signed-off-by: Otto Moerbeek <otto.moerbeek@open-xchange.com>
---

diff --git a/pdns/dnsdistdist/test-dnsdistnghttp2-in_cc.cc b/pdns/dnsdistdist/test-dnsdistnghttp2-in_cc.cc
index 7d8924ce99..c1b892e55e 100644
--- a/pdns/dnsdistdist/test-dnsdistnghttp2-in_cc.cc
+++ b/pdns/dnsdistdist/test-dnsdistnghttp2-in_cc.cc
@@ -406,6 +406,11 @@ public:
     return LibsslTLSVersion::TLS13;
   }
 
+  [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+  {
+    return {-1, "Not implemented yet"};
+  }
+
   [[nodiscard]] bool hasSessionBeenResumed() const override
   {
     return false;
diff --git a/pdns/dnsdistdist/test-dnsdistnghttp2_cc.cc b/pdns/dnsdistdist/test-dnsdistnghttp2_cc.cc
index a58b738611..94670dd0ec 100644
--- a/pdns/dnsdistdist/test-dnsdistnghttp2_cc.cc
+++ b/pdns/dnsdistdist/test-dnsdistnghttp2_cc.cc
@@ -439,6 +439,11 @@ public:
     return LibsslTLSVersion::TLS13;
   }
 
+  [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+  {
+    return {-1, "Not implemented yet"};
+  }
+
   bool hasSessionBeenResumed() const override
   {
     return false;
diff --git a/pdns/dnsdistdist/test-dnsdisttcp_cc.cc b/pdns/dnsdistdist/test-dnsdisttcp_cc.cc
index 53c8b1110a..290b103a81 100644
--- a/pdns/dnsdistdist/test-dnsdisttcp_cc.cc
+++ b/pdns/dnsdistdist/test-dnsdisttcp_cc.cc
@@ -260,6 +260,11 @@ public:
     return LibsslTLSVersion::TLS13;
   }
 
+  [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+  {
+    return {-1, "Not implemented yet"};
+  }
+
   bool hasSessionBeenResumed() const override
   {
     return false;
diff --git a/pdns/recursordist/lwres.cc b/pdns/recursordist/lwres.cc
index 976c17f1df..127c74bbe4 100644
--- a/pdns/recursordist/lwres.cc
+++ b/pdns/recursordist/lwres.cc
@@ -413,11 +413,7 @@ static bool tcpconnect(const OptLog& log, const ComboAddress& remote, const std:
 
   std::shared_ptr<TLSCtx> tlsCtx{nullptr};
   if (dnsOverTLS) {
-    TLSContextParameters tlsParams;
-    tlsParams.d_provider = "openssl";
-    tlsParams.d_validateCertificates = false;
-    // tlsParams.d_caStore
-    tlsCtx = getTLSContext(tlsParams);
+    tlsCtx = TCPOutConnectionManager::getTLSContext(nsName, remote);
     if (tlsCtx == nullptr) {
       g_slogout->info(Logr::Error, "DoT requested but not available", "server", Logging::Loggable(remote));
       dnsOverTLS = false;
@@ -451,6 +447,8 @@ static LWResult::Result tcpsendrecv(const ComboAddress& ip, TCPOutConnectionMana
 
   LWResult::Result ret = asendtcp(packet, connection.d_handler);
   if (ret != LWResult::Result::Success) {
+    auto result = connection.d_handler->getVerifyResult();
+    cerr << "ASENDTCP RETURNED FAIL " << ip.toString() << ' ' << result.first << ' ' << result.second << endl;
     return ret;
   }
 
diff --git a/pdns/recursordist/rec-tcp.cc b/pdns/recursordist/rec-tcp.cc
index b5e23140d9..775d30db8f 100644
--- a/pdns/recursordist/rec-tcp.cc
+++ b/pdns/recursordist/rec-tcp.cc
@@ -73,7 +73,7 @@ static thread_local std::unique_ptr<tcpClientCounts_t> t_tcpClientCounts = std::
 
 static void handleRunningTCPQuestion(int fileDesc, FDMultiplexer::funcparam_t& var);
 
-#if 0
+#if 1
 #define TCPLOG(tcpsock, x)                                 \
   do {                                                     \
     cerr << []() { timeval t; gettimeofday(&t, nullptr); return t.tv_sec % 10  + t.tv_usec/1000000.0; }() << " FD " << (tcpsock) << ' ' << x; \
@@ -989,7 +989,7 @@ LWResult::Result asendtcp(const PacketBuffer& data, shared_ptr<TCPIOHandler>& ha
   }
   if (packet.size() != data.size()) { // main loop tells us what it sent out, or empty in case of an error
     // fd housekeeping done by TCPIOHandlerIO
-    TCPLOG(pident->tcpsock, "PermanentError size mismatch" << endl);
+    TCPLOG(pident->tcpsock, "PermanentError size mismatch " << endl);
     return LWResult::Result::PermanentError;
   }
 
diff --git a/pdns/recursordist/rec-tcpout.cc b/pdns/recursordist/rec-tcpout.cc
index d1edba0bec..4ace08a172 100644
--- a/pdns/recursordist/rec-tcpout.cc
+++ b/pdns/recursordist/rec-tcpout.cc
@@ -82,6 +82,15 @@ TCPOutConnectionManager::Connection TCPOutConnectionManager::get(const endpoints
   return Connection{};
 }
 
+std::shared_ptr<TLSCtx> TCPOutConnectionManager::getTLSContext(const std::string& name, const ComboAddress& address)
+{
+  TLSContextParameters tlsParams;
+  tlsParams.d_provider = "openssl";
+  tlsParams.d_validateCertificates = true;
+  // tlsParams.d_caStore
+  return ::getTLSContext(tlsParams);
+}
+
 uint64_t getCurrentIdleTCPConnections()
 {
   return broadcastAccFunction<uint64_t>([] { return t_tcp_manager.getSize(); });
diff --git a/pdns/recursordist/rec-tcpout.hh b/pdns/recursordist/rec-tcpout.hh
index e52a20b943..64fae67eda 100644
--- a/pdns/recursordist/rec-tcpout.hh
+++ b/pdns/recursordist/rec-tcpout.hh
@@ -68,6 +68,8 @@ public:
     return new uint64_t(size()); // NOLINT(cppcoreguidelines-owning-memory): it's the API
   }
 
+  static std::shared_ptr<TLSCtx> getTLSContext(const std::string& name, const ComboAddress& address);
+
 private:
   // This does not take into account that we can have multiple connections with different hosts (via SNI) to the same IP.
   // That is OK, since we are connecting by IP only at the moment.
diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 6c1549f564..d0450680dc 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -42,7 +42,7 @@ bool shouldDoVerboseLogging()
 #ifdef DNSDIST
   return dnsdist::configuration::getCurrentRuntimeConfiguration().d_verbose;
 #elif defined(RECURSOR)
-  return false;
+  return true;
 #else
   return true;
 #endif
@@ -563,6 +563,27 @@ public:
     return result;
   }
 
+  [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+  {
+    if (d_conn) {
+      auto errorCode = SSL_get_verify_result(d_conn.get());
+      auto certPresented = errorCode != X509_V_OK;
+      if (!certPresented) {
+        auto* cert = SSL_get_peer_certificate(d_conn.get());
+        if (cert != nullptr) {
+          certPresented = true;
+          X509_free(cert);
+        }
+      }
+      const auto* errorMsg = X509_verify_cert_error_string(errorCode);
+      if (!certPresented) {
+        return {-1, "No certificate presented by peer"};
+      }
+      return {errorCode, errorMsg != nullptr ? errorMsg : "No details available"};
+    }
+    return {0, ""};
+  }
+
   LibsslTLSVersion getTLSVersion() const override
   {
     auto proto = SSL_version(d_conn.get());
@@ -1607,6 +1628,11 @@ public:
     }
   }
 
+  [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+  {
+    return {-1, "Not implemented yet"};
+  }
+
   bool hasSessionBeenResumed() const override
   {
     if (d_conn) {
diff --git a/pdns/tcpiohandler.hh b/pdns/tcpiohandler.hh
index 9450b61180..ff831b5ccf 100644
--- a/pdns/tcpiohandler.hh
+++ b/pdns/tcpiohandler.hh
@@ -39,6 +39,7 @@ public:
   virtual bool isUsable() const = 0;
   virtual std::vector<int> getAsyncFDs() = 0;
   virtual void close() = 0;
+  [[nodiscard]] virtual std::pair<long, std::string> getVerifyResult() const = 0;
 
   void setUnknownTicketKey()
   {
@@ -524,6 +525,14 @@ public:
     return d_conn != nullptr;
   }
 
+  [[nodiscard]] std::pair<long, std::string> getVerifyResult() const
+  {
+    if (d_conn) {
+      return d_conn->getVerifyResult();
+    }
+    return {0, ""};
+  }
+
   bool hasTLSSessionBeenResumed() const
   {
     return d_conn && d_conn->hasSessionBeenResumed();