Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add modern X.509v3 extensions to unbound-control TLS certificates #324

merged 1 commit into from Oct 19, 2020

Add modern X.509v3 extensions to unbound-control TLS certificates #324

merged 1 commit into from Oct 19, 2020


Copy link

Fixes #316

Add modern X.509v3 extensions to the TLS certificates generated by unbound-control-setup. This is required by certain modern TLS clients, including unbound_exporter for Prometheus when using Golang 1.15+.

Tested with OpenSSL 1.0.2k (CentOS 7) and 1.1.1c (CentOS 8).

Many thanks to @bastelfreak for identifying the problem and starting a patch.

@gthess gthess merged commit 59d15ac into NLnetLabs:master Oct 19, 2020
gthess added a commit that referenced this pull request Oct 19, 2020
  unbound-control TLS certificates, by James Renken.
Copy link

gthess commented Oct 19, 2020

Thanks! I also included -extfile and -extensions to attach the v3 extensions to the client certificate as well.

@gthess gthess self-assigned this Oct 19, 2020
jedisct1 added a commit to jedisct1/unbound that referenced this pull request Nov 1, 2020
* nlnet/master: (81 commits)
  - In man page note that tls-cert-bundle is read before permission   drop and chroot.
  - Fix that minimal-responses does not remove addresses from a priming   query response.
  - Fix NLnetLabs#333: Unbound Segmentation Fault w/ log_info Functions From   Python Mod.
  - Fix NLnetLabs#320: potential memory corruption due to size miscomputation upton   custom region alloc init.
  - Fix NLnetLabs#327: net/if.h check fails on some darwin versions; contribution by   Joshua Root.
  Add verbosity to debug occasional missing, from timer.
  Changelog note for NLnetLabs#228 - Merge PR NLnetLabs#228 : infra-keep-probing option to probe hosts that are   down.  Add infra-keep-probing: yes option. Hosts that are down are   probed more frequently.   With the option turned on, it probes about every 120 seconds,   eventually after exponential backoff, and that keeps that way. If   traffic keeps up for the domain. It probes with one at a time, eg.   one query is allowed to probe, other queries within that 120 second   interval are turned away.
  - Changelog entry for PR NLnetLabs#324: Add modern X.509v3 extensions to   unbound-control TLS certificates, by James Renken.
  - Fix for attaching the X509v3 extensions to the client certificate.
  - Clean the fix for out of order TCP processing limits on number   of queries.  It was tested to work.
  Fixup for clear of tcp handler structure.
  - Fix to set the tcp handler event toggle flag back to default when   the handler structure is reused.
  Changelog entry for local-zone out of chunk regional allocation
  - Log ip address when http session recv fails, eg. due to tls fail.
  Unit test for doh downstream notls.
  - Fix dnstap test to wait for log timer to see if queries are logged.
  - Fix python documentation warning on functions.rst inplace_cb_reply.
  - Fix NLnetLabs#330: [Feature request] Add unencrypted DNS over HTTPS support.   This adds the option http-notls-downstream: yesno to change that,   and the dohclient test code has the -n option.
  - Fix memory leak of https port string when reading config.
  - Fix that http settings have colon in set_option, for   http-endpoint, http-max-streams, http-query-buffer-size,   http-response-buffer-size, and http-nodelay.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

Successfully merging this pull request may close these issues.

unbound-control-setup creates TLS certificates without SANs
2 participants