From: W.C.A. Wijngaards Date: Tue, 21 Apr 2026 09:59:05 +0000 (+0200) Subject: - Fix that upstream TLS connections are not reused as TLS X-Git-Tag: release-1.25.0rc1~5 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=9de549c498439d4426374f1fd5884ca2ee643fa4;p=thirdparty%2Funbound.git - Fix that upstream TLS connections are not reused as TLS connections for a different name, at the same IP. This checks that the tls name is correct when reusing the upstream connections. Thanks to TaoFei Guo from Peking University and JianJun Chen from Tsinghua University for the report. --- diff --git a/doc/Changelog b/doc/Changelog index fcbb4ca6f..52515a33e 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -26,6 +26,12 @@ domain names in the SOA rdata are checked before the authority code picks up the zone serial. Thanks to Halil Oktay for the report. + - Fix that upstream TLS connections are not reused as TLS + connections for a different name, at the same IP. This + checks that the tls name is correct when reusing the + upstream connections. Thanks to TaoFei Guo from Peking + University and JianJun Chen from Tsinghua University for + the report. 20 April 2026: Wouter - Fix compile warnings for thread setname routine, and test compile. diff --git a/services/outside_network.c b/services/outside_network.c index 2b7f7d0a2..8034ff60b 100644 --- a/services/outside_network.c +++ b/services/outside_network.c @@ -160,6 +160,19 @@ reuse_cmp_addrportssl(const void* key1, const void* key2) return 1; if(!r1->is_ssl && r2->is_ssl) return -1; + + /* compare tls_auth_name if SSL-enabled */ + if(r1->is_ssl) { + if(r1->tls_auth_name && !r2->tls_auth_name) + return 1; + if(!r1->tls_auth_name && r2->tls_auth_name) + return -1; + if(r1->tls_auth_name && r2->tls_auth_name) { + r = strcmp(r1->tls_auth_name, r2->tls_auth_name); + if(r != 0) + return r; + } + } return 0; } @@ -531,7 +544,7 @@ reuse_tcp_insert(struct outside_network* outnet, struct pending_tcp* pend_tcp) /** find reuse tcp stream to destination for query, or NULL if none */ static struct reuse_tcp* reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr, - socklen_t addrlen, int use_ssl) + socklen_t addrlen, int use_ssl, char* tls_auth_name) { struct waiting_tcp key_w; struct pending_tcp key_p; @@ -545,8 +558,10 @@ reuse_tcp_find(struct outside_network* outnet, struct sockaddr_storage* addr, key_p.c = &c; key_p.reuse.pending = &key_p; key_p.reuse.node.key = &key_p.reuse; - if(use_ssl) + if(use_ssl) { key_p.reuse.is_ssl = 1; + key_p.reuse.tls_auth_name = tls_auth_name; + } if(addrlen > (socklen_t)sizeof(key_p.reuse.addr)) return NULL; memmove(&key_p.reuse.addr, addr, addrlen); @@ -646,6 +661,7 @@ static int outnet_tcp_take_into_use(struct waiting_tcp* w) { struct pending_tcp* pend = w->outnet->tcp_free; + char* tls_auth_name = NULL; int s; log_assert(pend); log_assert(w->pkt); @@ -746,7 +762,22 @@ outnet_tcp_take_into_use(struct waiting_tcp* w) comm_point_tcp_win_bio_cb(pend->c, pend->c->ssl); #endif pend->c->ssl_shake_state = comm_ssl_shake_write; - if(!set_auth_name_on_ssl(pend->c->ssl, w->tls_auth_name, + if(w->tls_auth_name) { + /* strdup the auth name, while not linked the list yet, + * in case of failure, easy cleanup. */ + tls_auth_name = strdup(w->tls_auth_name); + if(!tls_auth_name) { + log_err("out of memory: alloc tls auth name"); + pend->c->fd = s; +#ifdef HAVE_SSL + SSL_free(pend->c->ssl); +#endif + pend->c->ssl = NULL; + comm_point_close(pend->c); + return 0; + } + } + if(!set_auth_name_on_ssl(pend->c->ssl, tls_auth_name, w->outnet->tls_use_sni)) { pend->c->fd = s; #ifdef HAVE_SSL @@ -754,6 +785,7 @@ outnet_tcp_take_into_use(struct waiting_tcp* w) #endif pend->c->ssl = NULL; comm_point_close(pend->c); + free(tls_auth_name); return 0; } } @@ -778,9 +810,20 @@ outnet_tcp_take_into_use(struct waiting_tcp* w) if(pend->reuse.node.key) reuse_tcp_remove_tree_list(w->outnet, &pend->reuse); - if(pend->c->ssl) + if(pend->c->ssl) { pend->reuse.is_ssl = 1; - else pend->reuse.is_ssl = 0; + if(pend->reuse.tls_auth_name) + free(pend->reuse.tls_auth_name); + pend->reuse.tls_auth_name = tls_auth_name; + tls_auth_name = NULL; + } else { + pend->reuse.is_ssl = 0; + if(pend->reuse.tls_auth_name) + free(pend->reuse.tls_auth_name); + pend->reuse.tls_auth_name = NULL; + } + /* free tls auth name if nonNULL */ + free(tls_auth_name); /* insert in reuse by address tree if not already inserted there */ (void)reuse_tcp_insert(w->outnet, pend); reuse_tree_by_id_insert(&pend->reuse, w); @@ -969,7 +1012,7 @@ use_free_buffer(struct outside_network* outnet) (!outnet->tcp_reuse_first && !outnet->tcp_reuse_last) || (outnet->tcp_reuse_first && outnet->tcp_reuse_last)); reuse = reuse_tcp_find(outnet, &w->addr, w->addrlen, - w->ssl_upstream); + w->ssl_upstream, w->tls_auth_name); /* re-select an ID when moving to a new TCP buffer */ w->id = tcp_select_id(outnet, reuse); LDNS_ID_SET(w->pkt, w->id); @@ -1198,6 +1241,10 @@ decommission_pending_tcp(struct outside_network* outnet, /* needs unlink from the reuse tree to get deleted */ reuse_tcp_remove_tree_list(outnet, &pend->reuse); } + if(pend->reuse.tls_auth_name) { + free(pend->reuse.tls_auth_name); + pend->reuse.tls_auth_name = NULL; + } /* free SSL structure after remove from outnet tcp reuse tree, * because the c->ssl null or not is used for sorting in the tree */ if(pend->c->ssl) { @@ -1922,6 +1969,10 @@ outside_network_delete(struct outside_network* outnet) * the tcp conn is working on */ decommission_pending_tcp(outnet, pend); } + if(pend->reuse.tls_auth_name) { + free(pend->reuse.tls_auth_name); + pend->reuse.tls_auth_name = NULL; + } comm_point_delete(outnet->tcp_conns[i]->c); free(outnet->tcp_conns[i]); outnet->tcp_conns[i] = NULL; @@ -2447,7 +2498,7 @@ pending_tcp_query(struct serviced_query* sq, sldns_buffer* packet, /* find out if a reused stream to the target exists */ /* if so, take it into use */ reuse = reuse_tcp_find(sq->outnet, &sq->addr, sq->addrlen, - sq->ssl_upstream); + sq->ssl_upstream, sq->tls_auth_name); if(reuse) { log_reuse_tcp(VERB_CLIENT, "pending_tcp_query: found reuse", reuse); log_assert(reuse->pending); diff --git a/services/outside_network.h b/services/outside_network.h index 7404d462f..e30ce92eb 100644 --- a/services/outside_network.h +++ b/services/outside_network.h @@ -264,6 +264,9 @@ struct reuse_tcp { socklen_t addrlen; /** also key for tcp_reuse tree, if ssl is used */ int is_ssl; + /** If is_ssl is enabled, tls_auth_name is part of the key for + * tcp_reuse tree. If the string is NULL, it without a tls_auth_name */ + char* tls_auth_name; /** lru chain, so that the oldest can be removed to get a new * connection when all are in (re)use. oldest is last in list. * The lru only contains empty connections waiting for reuse, diff --git a/testdata/tls_reuse_auth.tdir/tls_reuse_auth.conf b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.conf new file mode 100644 index 000000000..bea487d28 --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.conf @@ -0,0 +1,22 @@ +server: + verbosity: 5 + # num-threads: 1 + interface: 127.0.0.1 + port: @PORT@ + use-syslog: no + directory: . + pidfile: "unbound.pid" + chroot: "" + username: "" + do-not-query-localhost: no + + tls-cert-bundle: "unbound_server.pem" + tls-upstream: yes + +forward-zone: + name: "." + forward-addr: "127.0.0.1@@TOPORT@#unbound" + +forward-zone: + name: "example.org." + forward-addr: "127.0.0.1@@TOPORT@#badname" diff --git a/testdata/tls_reuse_auth.tdir/tls_reuse_auth.conf2 b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.conf2 new file mode 100644 index 000000000..a134e9f95 --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.conf2 @@ -0,0 +1,40 @@ +# this is the upstream server that has pipelining and responds to queries. +server: + verbosity: 1 + # num-threads: 1 + interface: 127.0.0.1@@PORT@ + port: @PORT@ + use-syslog: no + directory: . + pidfile: "unbound2.pid" + chroot: "" + username: "" + do-not-query-localhost: no + tls-port: @PORT@ + tls-service-key: "unbound_server.key" + tls-service-pem: "unbound_server.pem" + tcp-idle-timeout: 10000 + + log-queries: yes + log-replies: yes + log-identity: "upstream" + + local-zone: "." refuse + local-zone: "example.com" static + local-data: "www.example.com A 10.20.30.40" + local-data: "www1.example.com A 10.20.30.41" + local-data: "www2.example.com A 10.20.30.42" + local-data: "www3.example.com A 10.20.30.43" + local-data: "www4.example.com A 10.20.30.44" + local-data: "www5.example.com A 10.20.30.45" + local-data: "www6.example.com A 10.20.30.46" + local-data: "www7.example.com A 10.20.30.47" + + local-data: "www.example.org A 10.20.31.40" + local-data: "badname.example.org A 10.20.31.41" + +# if queries escape, send them to localhost +forward-zone: + name: "." + forward-tls-upstream: yes + forward-addr: "127.0.0.1@@TOPORT@" diff --git a/testdata/tls_reuse_auth.tdir/tls_reuse_auth.dsc b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.dsc new file mode 100644 index 000000000..afcc94e84 --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.dsc @@ -0,0 +1,16 @@ +BaseName: tls_reuse_auth +Version: 1.0 +Description: Test tls stream reuse with tls auth name. +CreationDate: Thu Apr 02 11:11:00 CEST 2026 +Maintainer: Wouter Wijngaards +Category: +Component: +CmdDepends: +Depends: +Help: +Pre: tls_reuse_auth.pre +Post: tls_reuse_auth.post +Test: tls_reuse_auth.test +AuxFiles: +Passed: +Failure: diff --git a/testdata/tls_reuse_auth.tdir/tls_reuse_auth.post b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.post new file mode 100644 index 000000000..ab87571de --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.post @@ -0,0 +1,19 @@ +# #-- tls_reuse_auth.post --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# source the test var file when it's there +[ -f .tpkg.var.test ] && source .tpkg.var.test +# +# do your teardown here +. ../common.sh +kill_from_pidfile "unbound2.pid" +if test -f unbound2.log; then + echo ">>> upstream log" + cat unbound2.log +fi +#kill_pid $UNBOUND_PID +kill_from_pidfile "unbound.pid" +if test -f unbound.log; then + echo ">>> unbound log" + cat unbound.log +fi diff --git a/testdata/tls_reuse_auth.tdir/tls_reuse_auth.pre b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.pre new file mode 100644 index 000000000..9bb2d08d7 --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.pre @@ -0,0 +1,34 @@ +# #-- tls_reuse_auth.pre--# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +. ../common.sh +get_random_port 2 +UNBOUND_PORT=$RND_PORT +UPSTREAM_PORT=$(($RND_PORT + 1)) +echo "UNBOUND_PORT=$UNBOUND_PORT" >> .tpkg.var.test +echo "UPSTREAM_PORT=$UPSTREAM_PORT" >> .tpkg.var.test + +# make config file +sed -e 's/@PORT\@/'$UNBOUND_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' < tls_reuse_auth.conf > ub.conf +# start unbound in the background +#$PRE/unbound -d -c ub.conf >unbound.log 2>&1 & +$PRE/unbound -d -c ub.conf 2>&1 | tee unbound.log & +UNBOUND_PID=$! +echo "UNBOUND_PID=$UNBOUND_PID" >> .tpkg.var.test +wait_unbound_up unbound.log + +# make upstream config file +sed -e 's/@PORT\@/'$UPSTREAM_PORT'/' -e 's/@TOPORT\@/'$UPSTREAM_PORT'/' < tls_reuse_auth.conf2 > ub2.conf +# start upstream unbound in the background +#$PRE/unbound -d -c ub2.conf >unbound2.log 2>&1 & +$PRE/unbound -d -c ub2.conf 2>&1 | tee unbound2.log & +UPSTREAM_PID=$! +echo "UPSTREAM_PID=$UPSTREAM_PID" >> .tpkg.var.test +wait_unbound_up unbound2.log + +cat .tpkg.var.test + diff --git a/testdata/tls_reuse_auth.tdir/tls_reuse_auth.test b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.test new file mode 100644 index 000000000..f6f98d5de --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/tls_reuse_auth.test @@ -0,0 +1,90 @@ +# #-- tls_reuse_auth.test --# +# source the master var file when it's there +[ -f ../.tpkg.var.master ] && source ../.tpkg.var.master +# use .tpkg.var.test for in test variable passing +[ -f .tpkg.var.test ] && source .tpkg.var.test + +PRE="../.." +. ../common.sh + +get_make +(cd $PRE; $MAKE streamtcp) + +echo "> query www1.example.com." +$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www1.example.com. A IN >outfile 2>&1 +cat outfile +if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound2.log + cat unbound.log + echo "Not OK" + exit 1 +fi +if grep "www1.example.com" outfile | grep "10.20.30.41"; then + echo "content OK" +else + echo "result contents not OK, for www1.example.com" + echo "> cat logfiles" + cat outfile + cat unbound2.log + cat unbound.log + echo "result contents not OK, for www1.example.com" + exit 1 +fi +echo "OK" +echo "" + +# this should be reused on the same tcp stream: +echo "> query www2.example.com." +$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT www2.example.com. A IN >outfile 2>&1 +cat outfile +if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound2.log + cat unbound.log + echo "Not OK" + exit 1 +fi +if grep "www2.example.com" outfile | grep "10.20.30.42"; then + echo "content OK" +else + echo "result contents not OK, for www2.example.com" + echo "> cat logfiles" + cat outfile + cat unbound2.log + cat unbound.log + echo "result contents not OK, for www2.example.com" + exit 1 +fi + +# bad query with different auth name. +echo "> query badname.example.org." +$PRE/streamtcp -f 127.0.0.1@$UNBOUND_PORT badname.example.org. A IN >outfile 2>&1 +cat outfile +if test "$?" -ne 0; then + echo "exit status not OK" + echo "> cat logfiles" + cat outfile + cat unbound2.log + cat unbound.log + echo "Not OK" + exit 1 +fi +if grep "badname.example.org" outfile | grep "10.20.31.41"; then + echo "result contents not OK, for badname.example.org" + echo "> cat logfiles" + cat outfile + cat unbound2.log + cat unbound.log + echo "result contents not OK, for badname.example.org" + exit 1 +else + echo "content OK" +fi + +echo "OK" +exit 0 diff --git a/testdata/tls_reuse_auth.tdir/unbound_control.key b/testdata/tls_reuse_auth.tdir/unbound_control.key new file mode 100644 index 000000000..753a4ef61 --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/unbound_control.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG4gIBAAKCAYEAstEp+Pyh8XGrtZ77A4FhYjvbeB3dMa7Q2rGWxobzlA9przhA +1aChAvUtCOAuM+rB6NTNB8YWfZJbQHawyMNpmC77cg6vXLYCGUQHZyAqidN049RJ +F5T7j4N8Vniv17LiRdr0S6swy4PRvEnIPPV43EQHZqC5jVvHsKkhIfmBF/Dj5TXR +ypeawWV/m5jeU6/4HRYMfytBZdO1mPXuWLh0lgbQ4SCbgrOUVD3rniMk1yZIbQOm +vlDHYqekjDb/vOW2KxUQLG04aZMJ1mWfdbwG0CKQkSjISEDZ1l76vhM6mTM0fwXb +IvyFZ9yPPCle1mF5aSlxS2cmGuGVSRQaw8XF9fe3a9ACJJTr33HdSpyaZkKRAUzL +cKqLCl323daKv3NwwAT03Tj4iQM416ASMoiyfFa/2GWTKQVjddu8Crar7tGaf5xr +lig4DBmrBvdYA3njy72/RD71hLwmlRoCGU7dRuDr9O6KASUm1Ri91ONZ/qdjMvov +15l2vj4GV+KXR00dAgMBAAECggGAHepIL1N0dEQkCdpy+/8lH54L9WhpnOo2HqAf +LU9eaKK7d4jdr9+TkD8cLaPzltPrZNxVALvu/0sA4SP6J1wpyj/x6P7z73qzly5+ +Xo5PD4fEwmi9YaiW/UduAblnEZrnp/AddptJKoL/D5T4XtpiQddPtael4zQ7kB57 +YIexRSQTvEDovA/o3/nvA0TrzOxfgd4ycQP3iOWGN/TMzyLsvjydrUwbOB567iz9 +whL3Etdgvnwh5Sz2blbFfH+nAR8ctvFFz+osPvuIVR21VMEI6wm7kTpSNnQ6sh/c +lrLb/bTADn4g7z/LpIZJ+MrLvyEcoqValrLYeFBhM9CV8woPxvkO2P3pU47HVGax +tC7GV6a/kt5RoKFd/TNdiA3OC7NGZtaeXv9VkPf4fVwBtSO9d5ZZXTGEynDD/rUQ +U4KFJe6OD23APjse08HiiKqTPhsOneOONU67iqoaTdIkT2R4EdlkVEDpXVtWb+G9 +Q+IqYzVljlzuyHrhWXLJw/FMa2aBAoHBAOnZbi4gGpH+P6886WDWVgIlTccuXoyc +Mg9QQYk9UDeXxL0AizR5bZy49Sduegz9vkHpAiZARQsUnizHjZ8YlRcrmn4t6tx3 +ahTIKAjdprnxJfYINM580j8CGbXvX5LhIlm3O267D0Op+co3+7Ujy+cjsIuFQrP+ +1MqMgXSeBjzC1APivmps7HeFE+4w0k2PfN5wSMDNCzLo99PZuUG5XZ93OVOS5dpN +b+WskdcD8NOoJy/X/5A08veEI/jYO/DyqQKBwQDDwUQCOWf41ecvJLtBHKmEnHDz +ftzHino9DRKG8a9XaN4rmetnoWEaM2vHGX3pf3mwH+dAe8vJdAQueDhBKYeEpm6C +TYNOpou1+Zs5s99BilCTNYo8fkMOAyqwRwmz9zgHS6QxXuPwsghKefLJGt6o6RFF +tfWVTfLlYJ+I3GQe3ySsk3wjVz4oUTKiyiq5+KzD+HhEkS7u+RQ7Z0ZI2xd2cF8Y +aN2hjKDpcOiFf3CDoqka5D1qMNLgIHO52AHww1UCgcA1h7o7AMpURRka6hyaODY0 +A4oMYEbwdQjYjIyT998W+rzkbu1us6UtzQEBZ760npkgyU/epbOoV63lnkCC/MOU +LD0PST+L/CHiY/cWIHb79YG1EifUZKpUFg0Aoq0EGFkepF0MefGCkbRGYA5UZr9U +R80wAu9D+L+JJiS0J0BSRF74DL196zUuHt5zFeXuLzxsRtPAnq9DliS08BACRYZy +7H3I7cWD9Vn5/0jbKWHFcaaWwyETR6uekTcSzZzbCRECgcBeoE3/xUA9SSk34Mmj +7/cB4522Ft0imA3+9RK/qJTZ7Bd5fC4PKjOGNtUiqW/0L2rjeIiQ40bfWvWqgPKw +jSK1PL6uvkl6+4cNsFsYyZpiVDoe7wKju2UuoNlB3RUTqa2r2STFuNj2wRjA57I1 +BIgdnox65jqQsd14g/yaa+75/WP9CE45xzKEyrtvdcqxm0Pod3OrsYK+gikFjiar +kT0GQ8u0QPzh2tjt/2ZnIfOBrl+QYERP0MofDZDjhUdq2wECgcB0Lu841+yP5cdR +qbJhXO4zJNh7oWNcJlOuQp3ZMNFrA1oHpe9pmLukiROOy01k9WxIMQDzU5GSqRv3 +VLkYOIcbhJ3kClKAcM3j95SkKbU2H5/RENb3Ck52xtl4pNU1x/3PnVFZfDVuuHO9 +MZ9YBcIeK98MyP2jr5JtFKnOyPE7xKq0IHIhXadpbc2wjje5FtZ1cUtMyEECCXNa +C1TpXebHGyXGpY9WdWXhjdE/1jPvfS+uO5WyuDpYPr339gsdq1g= +-----END RSA PRIVATE KEY----- diff --git a/testdata/tls_reuse_auth.tdir/unbound_control.pem b/testdata/tls_reuse_auth.tdir/unbound_control.pem new file mode 100644 index 000000000..a1edf7017 --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/unbound_control.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDszCCAhsCFGD5193whHQ2bVdzbaQfdf1gc4SkMA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjMwWhcNNDAwMzI1MTMzMjMw +WjAaMRgwFgYDVQQDDA91bmJvdW5kLWNvbnRyb2wwggGiMA0GCSqGSIb3DQEBAQUA +A4IBjwAwggGKAoIBgQCy0Sn4/KHxcau1nvsDgWFiO9t4Hd0xrtDasZbGhvOUD2mv +OEDVoKEC9S0I4C4z6sHo1M0HxhZ9kltAdrDIw2mYLvtyDq9ctgIZRAdnICqJ03Tj +1EkXlPuPg3xWeK/XsuJF2vRLqzDLg9G8Scg89XjcRAdmoLmNW8ewqSEh+YEX8OPl +NdHKl5rBZX+bmN5Tr/gdFgx/K0Fl07WY9e5YuHSWBtDhIJuCs5RUPeueIyTXJkht +A6a+UMdip6SMNv+85bYrFRAsbThpkwnWZZ91vAbQIpCRKMhIQNnWXvq+EzqZMzR/ +Bdsi/IVn3I88KV7WYXlpKXFLZyYa4ZVJFBrDxcX197dr0AIklOvfcd1KnJpmQpEB +TMtwqosKXfbd1oq/c3DABPTdOPiJAzjXoBIyiLJ8Vr/YZZMpBWN127wKtqvu0Zp/ +nGuWKDgMGasG91gDeePLvb9EPvWEvCaVGgIZTt1G4Ov07ooBJSbVGL3U41n+p2My ++i/XmXa+PgZX4pdHTR0CAwEAATANBgkqhkiG9w0BAQsFAAOCAYEAd++Wen6l8Ifj +4h3p/y16PhSsWJWuJ4wdNYy3/GM84S26wGjzlEEwiW76HpH6VJzPOiBAeWnFKE83 +hFyetEIxgJeIPbcs9ZP/Uoh8GZH9tRISBSN9Hgk2Slr9llo4t1H0g/XTgA5HqMQU +9YydlBh43G7Vw3FVwh09OM6poNOGQKNc/tq2/QdKeUMtyBbLWpRmjH5XcCT35fbn +ZiVOUldqSHD4kKrFO4nJYXZyipRbcXybsLiX9GP0GLemc3IgIvOXyJ2RPp06o/SJ +pzlMlkcAfLJaSuEW57xRakhuNK7m051TKKzJzIEX+NFYOVdafFHS8VwGrYsdrFvD +72tMfu+Fu55y3awdWWGc6YlaGogZiuMnJkvQphwgn+5qE/7CGEckoKEsH601rqIZ +muaIc85+nEcHJeijd/ZlBN9zeltjFoMuqTUENgmv8+tUAdVm/UMY9Vjme6b43ydP +uv6DS02+k9z8toxXworLiPr94BGaiGV1NxgwZKLZigYJt/Fi2Qte +-----END CERTIFICATE----- diff --git a/testdata/tls_reuse_auth.tdir/unbound_server.key b/testdata/tls_reuse_auth.tdir/unbound_server.key new file mode 100644 index 000000000..370a7bbb2 --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/unbound_server.key @@ -0,0 +1,39 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIG5AIBAAKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI +0x41iG32a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+Nqq +GRS7XVQ24vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Z +uh9MDgotaBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8K +WaBe1ca4TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5 +FzUReSXZuTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xP +q6O9UPj4+nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XL +A5UoZgRzXgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP +7kFZSngxdy1+A/bNAgMBAAECggGBALpTOIqQwVg4CFBylL/a8K1IWJTI/I65sklf +XxYL7G7SB2HlEJ//z+E+F0+S4Vlao1vyLQ5QkgE82pAUB8FoMWvY1qF0Y8A5wtm6 +iZSGk4OLK488ZbT8Ii9i+AGKgPe2XbVxsJwj8N4k7Zooqec9hz73Up8ATEWJkRz7 +2u7oMGG4z91E0PULA64dOi3l/vOQe5w/Aa+CwVbAWtI05o7kMvQEBMDJn6C7CByo +MB5op9wueJMnz7PM7hns+U7Dy6oE4ljuolJUy51bDzFWwoM54cRoQqLFNHd8JVQj +WxldCkbfF43iyprlsEcUrTyUjtdA+ZeiG39vg/mtdmgNpGmdupHJZQvSuG8IcVlz +O+eMSeQS1QXPD6Ik8UK4SU0h+zOl8xIWtRrsxQuh4fnTN40udm/YUWl/6gOebsBI +IrVLlKGqJSfB3tMjpCRqdTzJ0dA9keVpkqm2ugZkxEf1+/efq/rFIQ2pUBLCqNTN +qpNqruK8y8FphP30I2uI4Ej2UIB8AQKBwQDd2Yptj2FyDyaXCycsyde0wYkNyzGU +dRnzdibfHnMZwjgTjwAwgIUBVIS8H0/z7ZJQKN7osJfddMrtjJtYYUk9g/dCpHXs +bNh2QSoWah3FdzNGuWd0iRf9+LFxhjAAMo/FS8zFJAJKrFsBdCGTfFUMdsLC0bjr +YjiWBuvV72uKf8XIZX5KIZruKdWBBcWukcb21R1UDyFYyXRBsly5XHaIYKZql3km +7pV7MKWO0IYgHbHIqGUqPQlzZ/lkunS1jKECgcEA23wHffD6Ou9/x3okPx2AWpTr +gh8rgqbyo6hQkBW5Y90Wz824cqaYebZDaBR/xlVx/YwjKkohv8Bde2lpH/ZxRZ1Z +5Sk2s6GJ/vU0L9RsJZgCgj4L6Coal1NMxuZtCXAlnOpiCdxSZgfqbshbTVz30KsG +ZJG361Cua1ScdAHxlZBxT52/1Sm0zRC2hnxL7h4qo7Idmtzs40LAJvYOKekR0pPN +oWeJfra7vgx/jVNvMFWoOoSLpidVO4g+ot4ery6tAoHAdW3rCic1C2zdnmH28Iw+ +s50l8Lk3mz+I5wgJd1zkzCO0DxZIoWPGA3g7cmCYr6N3KRsZMs4W9NAXgjpFGDkW +zYsG3K21BdpvkdjYcFjnPVjlOXB2RIc0vehf9Jl02wXoeCSxVUDEPcaRvWk9RJYx +ZpGOchUU7vNkxHURbIJ4yCzuAi9G8/Jp0dsu+kaV5tufF5SjG5WOrzKjaQsCbdN1 +oqaWMCHRrTvov/Z2C+xwsptFOdN5CSyZzg6hQiI4GMlBAoHAXyb6KINcOEi0YMp3 +BFXJ23tMTnEs78tozcKeipigcsbaqORK3omS+NEnj+uzKUzJyl4CsMbKstK2tFYS +mSTCHqgE3PBtIpsZtEqhgUraR8IK9GPpzZDTTl9ynZgwFTNlWw3RyuyVXF56J+T8 +kCGJ3hEHCHqT/ZRQyX85BKIDFhA0z4tYKxWVqIFiYBNq56R0X9tMMmMs36mEnF93 +7Ht6mowxTZQRa7nU0qOgeKh/P7ki4Zus3y+WJ+T9IqahLtlRAoHBAIhqMrcxSAB8 +RpB9jukJlAnidw2jCMPgrFE8tP0khhVvGrXMldxAUsMKntDIo8dGCnG1KTcWDI0O +jepvSPHSsxVLFugL79h0eVIS5z4huW48i9xgU8VlHdgAcgEPIAOFcOw2BCu/s0Vp +O+MM/EyUOdo3NsibB3qc/GJI6iNBYS7AljYEVo6rXo5V/MZvZUF4vClen6Obzsre +MTTb+4sJjfqleWuvr1XNMeu2mBfXBQkWGZP1byBK0MvD/aQ2PWq92A== +-----END RSA PRIVATE KEY----- diff --git a/testdata/tls_reuse_auth.tdir/unbound_server.pem b/testdata/tls_reuse_auth.tdir/unbound_server.pem new file mode 100644 index 000000000..986807310 --- /dev/null +++ b/testdata/tls_reuse_auth.tdir/unbound_server.pem @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDqzCCAhMCFBHWXeQ6ZIa9QcQbXLFfC6tj+KA+MA0GCSqGSIb3DQEBCwUAMBIx +EDAOBgNVBAMMB3VuYm91bmQwHhcNMjAwNzA4MTMzMjI5WhcNNDAwMzI1MTMzMjI5 +WjASMRAwDgYDVQQDDAd1bmJvdW5kMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIB +igKCAYEAvjSVSN2QMXudpzukdLCqgg/IOhCX8KYkD0FFFfWcQjgKq5wI0x41iG32 +a6wbGanre4IX7VxaSPu9kkHfnGgynCk5nwDRedE/FLFhAU78PoT0+NqqGRS7XVQ2 +4vLmIz9Hqc2Ozx1um1BXBTmIT0UfN2e22I0LWQ6a3seZlEDRj45gnk7Zuh9MDgot +aBdm+v1JAbupSf6Zis4VEH3JNdvVGE3O1DHEIeuuz/3BDhpf6WBDH+8KWaBe1ca4 +TZHr9ThL2gEMEfAQl0wXDwRWRoi3NjNMH+mw0L1rjwThI5GXqNIee7o5FzUReSXZ +uTdFMyGe3Owcx+XoYnwi6cplSNoGsDBu4B9bKKglR9YleJVw4L4Xi8xPq6O9UPj4 ++nypHk/DOoC7DIM3ufN0yxPBsFo5TVowxfhdjZXJbbftd2TZv7AH8+XLA5UoZgRz +XgzECelXSCTBFlMTnT48LfA9pMLydyjAz2UdPHs5Iv+TK5nnI+aJoeaP7kFZSngx +dy1+A/bNAgMBAAEwDQYJKoZIhvcNAQELBQADggGBABunf93MKaCUHiZgnoOTinsW +84/EgInrgtKzAyH+BhnKkJOhhR0kkIAx5d9BpDlaSiRTACFon9moWCgDIIsK/Ar7 +JE0Kln9cV//wiiNoFU0O4mnzyGUIMvlaEX6QHMJJQYvL05+w/3AAcf5XmMJtR5ca +fJ8FqvGC34b2WxX9lTQoyT52sRt+1KnQikiMEnEyAdKktMG+MwKsFDdOwDXyZhZg +XZhRrfX3/NVJolqB6EahjWIGXDeKuSSKZVtCyib6LskyeMzN5lcRfvubKDdlqFVF +qlD7rHBsKhQUWK/IO64mGf7y/de+CgHtED5vDvr/p2uj/9sABATfbrOQR3W/Of25 +sLBj4OEfrJ7lX8hQgFaxkMI3x6VFT3W8dTCp7xnQgb6bgROWB5fNEZ9jk/gjSRmD +yIU+r0UbKe5kBk/CmZVFXL2TyJ92V5NYEQh8V4DGy19qZ6u/XKYyNJL4ocs35GGe +CA8SBuyrmdhx38h1RHErR2Skzadi1S7MwGf1y431fQ== +-----END CERTIFICATE-----