-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
unbound: silently skips TLS certificate validation #6717
Comments
It would be sort of detrimental to the TLS concept if the TLS certificates of the upstream resolver(s) are not being validated and thus leaving the connection open to MitM attacks/eavesdropping. Seems like OpenSSH is blocking OpenSSL 1.1.x openwrt/openwrt#965 |
This same situation existed when HTTPS was rolling out and it wasn't completely anchored everywhere. One argument was half-security was better than none, or the proverbial, locks help keep honest people honest. Pirates may MiM. ISP could be a higher risk for privacy leaks. An ISP could argue they just so happened to observe plain text communications, and they just so happened to share it with marketing partners. However encrypted communications have a presumption of privacy, and spoofing a domain and certificate pair is using a trademark without license... something like that. |
fixed in trunk |
Maintainer: @EricLuehrsen
Environment: x86_64 KVM virtual machine, OpenWrt 18.06.0
Versions:
unbound - 1.7.3-2
libopenssl - 1.0.2o-1
Description:
Unbound silently skips TLS certificate validation. It continues to resolve happily after configuring it like this:
In this upstream bug report can be seen that OpenSSL 1.1.x is needed for this feature to work.
https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658#c15
If upgrading to OpenSSL 1.1.x is not yet possible, please, at least include the patch mentioned in that bug to warn the user that the name verification functionality is not available.
The text was updated successfully, but these errors were encountered: