Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

resolved: validate IP address in certificate for DNS-over-TLS (GnuTLS) #13870

Merged
merged 2 commits into from Oct 30, 2019

Conversation

irtimmer
Copy link
Contributor

Today I read a blog post from CloudFlare in which they made made some statements about the current support of DNS-over-TLS for different systems. including systemd-resolved. This made me aware of a mistake I made in my pull request #12815. As there was some code lost after I did some cleanups and rebases before submitting the pull request.

Currently every certificate which is signed by a CA is accepted in strict mode when GnuTLS is used. This pull requests fix this by validating the IP address, as was intended with the previous pull request, as stated in the documentation and done when using OpenSSL.

note: I increased the required version of GnuTLS, because GNUTLS_DT_IP_ADDRESS was added in version 3.6.0

Increase the required version to ensure TLS 1.3 is always supported when using GnuTLS for DNS-over-TLS and allow further changes to use recent API additions.
Validate the IP address in the certificate for DNS-over-TLS in strict mode when GnuTLS is used. As this is not yet the case in contrast to the documentation.
@yuwata yuwata added the resolve label Oct 30, 2019
@keszybz keszybz merged commit b7a4129 into systemd:master Oct 30, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Development

Successfully merging this pull request may close these issues.

None yet

5 participants