Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls-session-ticket-keys (for DoT) fails in Windows #158

Closed
hdais opened this issue Jan 31, 2020 · 1 comment
Closed

tls-session-ticket-keys (for DoT) fails in Windows #158

hdais opened this issue Jan 31, 2020 · 1 comment
Assignees

Comments

@hdais
Copy link

hdais commented Jan 31, 2020

** Windows only issue **

Unbound fails to read tls-session-ticket-keys files containing byte sequence 0x0d 0x0a (CRLF) or 0x1a (EOF) complaining that size of file is too short (<80 bytes), probably because Unbound fopen()s key files in text mode.

service.conf:

server:
    interface: 0.0.0.0@853
    tls-service-key: privkey.pem
    tls-service-pem: cert.pem
    tls-session-ticket-keys: crlfkey.txt   # 80 bytes file containing 0x0d 0x0a (CRLF) 

Examples of "bad" key files:

unbound.log

C:\Unbound>unbound.exe -c service.conf
[1580490664] unbound.exe[14412:0] error: tls-session-ticket-key crlfkey.txt is 79 bytes, must be 80 bytes
[1580490664] unbound.exe[14412:0] fatal error: could not set session ticket SSL_CTX

Probably because Unbound fopen()s key files in text mode. (Sorry I can't create patch since I don't have development environment for Windows)
listen_sslctx_setup_ticket_keys() in util/net_help.c:

int listen_sslctx_setup_ticket_keys(void* sslctx, struct config_strlist* tls_session_ticket_keys) {
        ...
    for(p = tls_session_ticket_keys; p; p = p->next) {
        ...
        f = fopen(p->str, "r");  /* <===  it should be "rb". */ 
        ...
        n = fread(data, 1, 80, f);
        ...
        if(n != 80) {
            log_err("tls-session-ticket-key %s is %d bytes, must be 80 bytes", p->str, (int)n);
        }
    }
@ralphdolmans ralphdolmans self-assigned this Feb 26, 2020
@ralphdolmans
Copy link
Contributor

ralphdolmans commented Mar 19, 2020

Thank you for reporting this issue and proposing the fix!

jedisct1 added a commit to jedisct1/unbound that referenced this issue Mar 20, 2020
* nlnet/master: (149 commits)
  - Fix .travis.yml error, missing 'env' option.
  - Merge PR#194: Add libevent testing to Travis, by Jeffrey Walton.
  Add changelog entries for PR#134.
  - Log warning when using outgoing-port-permit and outgoing-port-avoid   while explicit port randomisation is disabled.
  - Fix NLnetLabs#158: open tls-session-ticket-keys as binary, for Windows. By Daisuke   HIGASHI.
  - Merge PR#191: Update iOS testing on Travis, by Jeffrey Walton.
  Add libevent testing to Travis
  Sync with upstream
  - Fix NLnetLabs#192: In the unbound-checkconf tool, the module config of   dns64 subnetcache respip validator iterator is whitelisted, it was   reported it seems to work.
  - Fix compile of test tools without protobuf.
  - Add check to make sure RPZ records are subdomain of configured zone origin.
  - Changelog entry for (Fix NLnetLabs#189, Merge PR NLnetLabs#190).
  Changelog for NLnetLabs#188 and configure script created.  Removed unneeded whitespace.
  Fix NLnetLabs#188: unbound-control.c:882:6: error: 'execlp' is unavailable: not available on tvOS
  Fix NetBSD compile (GH NLnetLabs#189)
  - Changelog note for PR NLnetLabs#186: Fix unrecognized 'echo -n' option on OS X,   by noloader.
  Fix unrecognized 'echo -n' option on OS X Also see NLnetLabs#183. This PR also updates a few typos in README-Travis.md, and expands the discussion of PKG_CONFIG_PATH for those who are not familiar with it.
  Fix changelog note, it is NLnetLabs#182, not NLnetLabs#184.
  Changelog note for NLnetLabs#184. - Fix PR NLnetLabs#184 from noloader: Add iOS testing to Travis.
  Add iOS testing to Travis
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants