Add modern X.509v3 extensions to unbound-control TLS certificates #324
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gthess
added a commit
that referenced
this pull request
Oct 19, 2020
unbound-control TLS certificates, by James Renken.
|
Thanks! I also included |
jedisct1
added a commit
to jedisct1/unbound
that referenced
this pull request
Nov 1, 2020
* nlnet/master: (81 commits) - In man page note that tls-cert-bundle is read before permission drop and chroot. - Fix that minimal-responses does not remove addresses from a priming query response. - Fix NLnetLabs#333: Unbound Segmentation Fault w/ log_info Functions From Python Mod. - Fix NLnetLabs#320: potential memory corruption due to size miscomputation upton custom region alloc init. - Fix NLnetLabs#327: net/if.h check fails on some darwin versions; contribution by Joshua Root. Add verbosity to debug occasional missing q1-10.example.net, from timer. Changelog note for NLnetLabs#228 - Merge PR NLnetLabs#228 : infra-keep-probing option to probe hosts that are down. Add infra-keep-probing: yes option. Hosts that are down are probed more frequently. With the option turned on, it probes about every 120 seconds, eventually after exponential backoff, and that keeps that way. If traffic keeps up for the domain. It probes with one at a time, eg. one query is allowed to probe, other queries within that 120 second interval are turned away. - Changelog entry for PR NLnetLabs#324: Add modern X.509v3 extensions to unbound-control TLS certificates, by James Renken. - Fix for attaching the X509v3 extensions to the client certificate. - Clean the fix for out of order TCP processing limits on number of queries. It was tested to work. Fixup for clear of tcp handler structure. - Fix to set the tcp handler event toggle flag back to default when the handler structure is reused. Changelog entry for local-zone out of chunk regional allocation - Log ip address when http session recv fails, eg. due to tls fail. Unit test for doh downstream notls. - Fix dnstap test to wait for log timer to see if queries are logged. - Fix python documentation warning on functions.rst inplace_cb_reply. - Fix NLnetLabs#330: [Feature request] Add unencrypted DNS over HTTPS support. This adds the option http-notls-downstream: yesno to change that, and the dohclient test code has the -n option. - Fix memory leak of https port string when reading config. - Fix that http settings have colon in set_option, for http-endpoint, http-max-streams, http-query-buffer-size, http-response-buffer-size, and http-nodelay. ...
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Fixes #316
Add modern X.509v3 extensions to the TLS certificates generated by unbound-control-setup. This is required by certain modern TLS clients, including unbound_exporter for Prometheus when using Golang 1.15+.
Tested with OpenSSL 1.0.2k (CentOS 7) and 1.1.1c (CentOS 8).
Many thanks to @bastelfreak for identifying the problem and starting a patch.