DNS over TLS not working

W.C.A. Wijngaards wouter at nlnetlabs.nl
Wed May 9 05:51:40 UTC 2018


Hi,

No idea what is going on anymore, here is two new sets of binaries.

These are made with openssl 1.0.2j.  The code in unbound that does
tls-upstream:yes is basically almost the same as previous releases, and
with the same version of openssl, shouldn't that work like it did in the
previous release?

Note that the 1.0.2 openssl does not have the set verify name function
that is used to verify the tls authentication name, so it won't check that.

open.nlnetlabs.nl/~wouter/unbound-1.7.1_20180509.zip
open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180509.zip

pgp sigs in .asc files.

The 1.7.1 zipfile is the 1.7.1 release with the different openssl library.

The 1.7.2 has a different windows event handling for SSL upstream, that
should result in fewer cycles used to handle the SSL connection.  It
should however, not otherwise change the SSL connection calls to OpenSSL.

Best regards, Wouter

On 08/05/18 18:25, Yuri via Unbound-users wrote:
> Still not, Raymond.
> 
> Digging.
> 
> 08.05.2018 21:45, Raymond Bannan via Unbound-users пишет:
>> I downloaded the updated binary and tried on my system as well -
>> unbound is still attempting to resolve without first negotiating TLS.
>>
>> It correctly reaches out to 1.1.1.1:853, but it doesn't negotiate a
>> TLS connection.  Is there anything I could do to help fix this?
>>
>> -Ray
>>
>> On 5/7/2018 8:25 AM, W.C.A. Wijngaards via Unbound-users wrote:
>>> Hi Yuri,
>>>
>>> On 07/05/18 16:16, Yuri via Unbound-users wrote:
>>>> Just checked. Unfortunately, patch does not fix issue.
>>>>
>>>> Same sympthom. Timeout, then no resolve.
>>>  From your previous logs, what unbound does is connect, then write. 
>>> Then
>>> it gets nothing to read.  Until the timeout happens.  The connection
>>> closes, there was no data received.
>>>
>>> Is there a firewall of some sort preventing data from leaving or
>>> entering the system?
>>>
>>> Best regards, Wouter
>>>
>>>> http://open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180507.zip (16Mb)
>>>> http://open.nlnetlabs.nl/~wouter/unbound-1.7.2_20180507.zip.asc (pgp
>>>> sig)
>>>>
>>>> -- 
>>>> "C++ seems like a language suitable for firing other people's legs."
>>>>
>>>> *****************************
>>>> * C++20 : Bug to the future *
>>>> *****************************
>>>>
>>>
>>
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180509/c4295fcc/attachment.bin>


More information about the Unbound-users mailing list