Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls-session-ticket-keys (for DoT) fails in Windows #158

hdais opened this issue Jan 31, 2020 · 1 comment

tls-session-ticket-keys (for DoT) fails in Windows #158

hdais opened this issue Jan 31, 2020 · 1 comment


Copy link

hdais commented Jan 31, 2020

** Windows only issue **

Unbound fails to read tls-session-ticket-keys files containing byte sequence 0x0d 0x0a (CRLF) or 0x1a (EOF) complaining that size of file is too short (<80 bytes), probably because Unbound fopen()s key files in text mode.


    tls-service-key: privkey.pem
    tls-service-pem: cert.pem
    tls-session-ticket-keys: crlfkey.txt   # 80 bytes file containing 0x0d 0x0a (CRLF) 

Examples of "bad" key files:


C:\Unbound>unbound.exe -c service.conf
[1580490664] unbound.exe[14412:0] error: tls-session-ticket-key crlfkey.txt is 79 bytes, must be 80 bytes
[1580490664] unbound.exe[14412:0] fatal error: could not set session ticket SSL_CTX

Probably because Unbound fopen()s key files in text mode. (Sorry I can't create patch since I don't have development environment for Windows)
listen_sslctx_setup_ticket_keys() in util/net_help.c:

int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys) {
    for(p = tls_session_ticket_keys; p; p = p->next) {
        f = fopen(p->str, "r");  /* <===  it should be "rb". */ 
        n = fread(data, 1, 80, f);
        if(n != 80) {
            log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n);
@ralphdolmans ralphdolmans self-assigned this Feb 26, 2020
Copy link

ralphdolmans commented Mar 19, 2020

Thank you for reporting this issue and proposing the fix!

jedisct1 added a commit to jedisct1/unbound that referenced this issue Mar 20, 2020
* nlnet/master: (149 commits)
  - Fix .travis.yml error, missing 'env' option.
  - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
  Add changelog entries for PR#134.
  - Log warning when using outgoing-port-permit and outgoing-port-avoid   while explicit port randomisation is disabled.
  - Fix NLnetLabs#158: open tls-session-ticket-keys as binary, for Windows. By Daisuke   HIGASHI.
  - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
  Add libevent testing to Travis
  Sync with upstream
  - Fix NLnetLabs#192: In the unbound-checkconf tool, the module config of   dns64 subnetcache respip validator iterator is whitelisted, it was   reported it seems to work.
  - Fix compile of test tools without protobuf.
  - Add check to make sure RPZ records are subdomain of configured zone origin.
  - Changelog entry for (Fix NLnetLabs#189, Merge PR NLnetLabs#190).
  Changelog for NLnetLabs#188 and configure script created.  Removed unneeded whitespace.
  Fix NLnetLabs#188: unbound-control.c:882:6: error: 'execlp' is unavailable: not available on tvOS
  Fix NetBSD compile (GH NLnetLabs#189)
  - Changelog note for PR NLnetLabs#186: Fix unrecognized 'echo -n' option on OS X,   by noloader.
  Fix unrecognized 'echo -n' option on OS X Also see NLnetLabs#183. This PR also updates a few typos in, and expands the discussion of PKG_CONFIG_PATH for those who are not familiar with it.
  Fix changelog note, it is NLnetLabs#182, not NLnetLabs#184.
  Changelog note for NLnetLabs#184. - Fix PR NLnetLabs#184 from noloader: Add iOS testing to Travis.
  Add iOS testing to Travis
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

2 participants