return LibsslTLSVersion::TLS13;
}
+ [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+ {
+ return {-1, "Not implemented yet"};
+ }
+
[[nodiscard]] bool hasSessionBeenResumed() const override
{
return false;
return LibsslTLSVersion::TLS13;
}
+ [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+ {
+ return {-1, "Not implemented yet"};
+ }
+
bool hasSessionBeenResumed() const override
{
return false;
return LibsslTLSVersion::TLS13;
}
+ [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+ {
+ return {-1, "Not implemented yet"};
+ }
+
bool hasSessionBeenResumed() const override
{
return false;
std::shared_ptr<TLSCtx> tlsCtx{nullptr};
if (dnsOverTLS) {
- TLSContextParameters tlsParams;
- tlsParams.d_provider = "openssl";
- tlsParams.d_validateCertificates = false;
- // tlsParams.d_caStore
- tlsCtx = getTLSContext(tlsParams);
+ tlsCtx = TCPOutConnectionManager::getTLSContext(nsName, remote);
if (tlsCtx == nullptr) {
g_slogout->info(Logr::Error, "DoT requested but not available", "server", Logging::Loggable(remote));
dnsOverTLS = false;
LWResult::Result ret = asendtcp(packet, connection.d_handler);
if (ret != LWResult::Result::Success) {
+ auto result = connection.d_handler->getVerifyResult();
+ cerr << "ASENDTCP RETURNED FAIL " << ip.toString() << ' ' << result.first << ' ' << result.second << endl;
return ret;
}
static void handleRunningTCPQuestion(int fileDesc, FDMultiplexer::funcparam_t& var);
-#if 0
+#if 1
#define TCPLOG(tcpsock, x) \
do { \
cerr << []() { timeval t; gettimeofday(&t, nullptr); return t.tv_sec % 10 + t.tv_usec/1000000.0; }() << " FD " << (tcpsock) << ' ' << x; \
}
if (packet.size() != data.size()) { // main loop tells us what it sent out, or empty in case of an error
// fd housekeeping done by TCPIOHandlerIO
- TCPLOG(pident->tcpsock, "PermanentError size mismatch" << endl);
+ TCPLOG(pident->tcpsock, "PermanentError size mismatch " << endl);
return LWResult::Result::PermanentError;
}
return Connection{};
}
+std::shared_ptr<TLSCtx> TCPOutConnectionManager::getTLSContext(const std::string& name, const ComboAddress& address)
+{
+ TLSContextParameters tlsParams;
+ tlsParams.d_provider = "openssl";
+ tlsParams.d_validateCertificates = true;
+ // tlsParams.d_caStore
+ return ::getTLSContext(tlsParams);
+}
+
uint64_t getCurrentIdleTCPConnections()
{
return broadcastAccFunction<uint64_t>([] { return t_tcp_manager.getSize(); });
return new uint64_t(size()); // NOLINT(cppcoreguidelines-owning-memory): it's the API
}
+ static std::shared_ptr<TLSCtx> getTLSContext(const std::string& name, const ComboAddress& address);
+
private:
// This does not take into account that we can have multiple connections with different hosts (via SNI) to the same IP.
// That is OK, since we are connecting by IP only at the moment.
#ifdef DNSDIST
return dnsdist::configuration::getCurrentRuntimeConfiguration().d_verbose;
#elif defined(RECURSOR)
- return false;
+ return true;
#else
return true;
#endif
return result;
}
+ [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+ {
+ if (d_conn) {
+ auto errorCode = SSL_get_verify_result(d_conn.get());
+ auto certPresented = errorCode != X509_V_OK;
+ if (!certPresented) {
+ auto* cert = SSL_get_peer_certificate(d_conn.get());
+ if (cert != nullptr) {
+ certPresented = true;
+ X509_free(cert);
+ }
+ }
+ const auto* errorMsg = X509_verify_cert_error_string(errorCode);
+ if (!certPresented) {
+ return {-1, "No certificate presented by peer"};
+ }
+ return {errorCode, errorMsg != nullptr ? errorMsg : "No details available"};
+ }
+ return {0, ""};
+ }
+
LibsslTLSVersion getTLSVersion() const override
{
auto proto = SSL_version(d_conn.get());
}
}
+ [[nodiscard]] std::pair<long, std::string> getVerifyResult() const override
+ {
+ return {-1, "Not implemented yet"};
+ }
+
bool hasSessionBeenResumed() const override
{
if (d_conn) {
virtual bool isUsable() const = 0;
virtual std::vector<int> getAsyncFDs() = 0;
virtual void close() = 0;
+ [[nodiscard]] virtual std::pair<long, std::string> getVerifyResult() const = 0;
void setUnknownTicketKey()
{
return d_conn != nullptr;
}
+ [[nodiscard]] std::pair<long, std::string> getVerifyResult() const
+ {
+ if (d_conn) {
+ return d_conn->getVerifyResult();
+ }
+ return {0, ""};
+ }
+
bool hasTLSSessionBeenResumed() const
{
return d_conn && d_conn->hasSessionBeenResumed();
projects / thirdparty / pdns.git / commitdiff
