Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server
Speaking of stable p-u, it'd be interesting to fix the two new bugs in there too, which I haven't noticed before your friendly ping (apparently something's wrong with my subscription to bugs) -- #1051817 and #1051818. Should be easy to fix, lemme take a look.. /mjt
Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server
16.09.2023 22:34, Timo Sigurdsson wrote: Dear maintainers, could you please also backport the fix for this issue to the current stable distribution via the proposed-updates channel? The next point release for bookworm is scheduled for October 7. I really hope the fix for this annoying issue makes it into the next point release. Yeah, it is scheduled for the next debian stable point release already, I picked it up at the same time I did 1.18.0 packaging for debian. I have to file a stable-proposed-updates report for it though, which I forgot to do. Doing it now. Thanks! /mjt
Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server
Dear maintainers, could you please also backport the fix for this issue to the current stable distribution via the proposed-updates channel? The next point release for bookworm is scheduled for October 7. I really hope the fix for this annoying issue makes it into the next point release. Thank you and kind regards, Timo
Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server
tags 1038243 confirmed patch fixed-upstream thanks I can confirm this bug. I also stumbled over this after upgrading a machine from Bullseye to Bookworm. I can also confirm that the upstream fix (commit d7e77611) [1] on top of the unbound package currently found in Debian Bookworm, 1.17.1-2, fixes the issue for me. I'm attaching the patch that I applied on the source package. It's the upstream patch except for the (upstream) documentation update (as that doesn't apply nicely on the version found in Bookworm and has no functional impact). If anyone wants to try my local binary build (at your own risk - no warranty whatsoever!), you can find the packages here [2]. The link expires Nov 15, 2023. Dear Maintainer, it would be nice if you could apply the upstream fix and release a new unbound packages via proposed-updates. Thanks and regards, Timo [1] https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e [2] https://cloud.timo-sigurdsson.com/index.php/s/fRp5A99aHJK3Le6>From d7e776114114c16816570e48ab3a27eedc401a0e Mon Sep 17 00:00:00 2001 From: George Thessalonikefs Date: Fri, 17 Mar 2023 14:39:37 +0100 Subject: [PATCH] - Fix #812, fix #846, by using the SSL_OP_IGNORE_UNEXPECTED_EOF option to ignore the unexpected eof while reading in openssl >= 3. --- util/net_help.c | 21 + 1 file changed, 21 insertions(+) diff --git a/util/net_help.c b/util/net_help.c index 54fad6986..de2d771bd 100644 --- a/util/net_help.c +++ b/util/net_help.c @@ -1005,6 +1005,16 @@ listen_sslctx_setup(void* ctxt) log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list"); } #endif +#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) + /* ignore errors when peers do not send the mandatory close_notify + * alert on shutdown. + * Relevant for openssl >= 3 */ + if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & + SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { + log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); + return 0; + } +#endif if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) & SSL_OP_CIPHER_SERVER_PREFERENCE) != @@ -1233,6 +1243,17 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert) SSL_CTX_free(ctx); return 0; } +#endif +#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF) + /* ignore errors when peers do not send the mandatory close_notify + * alert on shutdown. + * Relevant for openssl >= 3 */ + if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) & + SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) { + log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF"); + SSL_CTX_free(ctx); + return 0; + } #endif if(key && key[0]) { if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {
Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server
Package: unbound Version: 1.17.1-2 Severity: important Hello, I upgraded from bullseye to bookworm and after the upgrade unbound in version 1.17.1-2 is flooding the journal with the error messages."error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading“. Unbound is configured with DNS over TLS forward addresses (forward-ssl-upstream: yes). journal entries: journalctl -b -u unbound.service Jun 15 22:39:13 klettur-01 systemd[1]: Starting unbound.service - Unbound DNS server... Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] notice: init module 0: subnetcache Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] warning: subnetcache: serve-expired is set but not working for data originating from the subnet module cache. Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] warning: subnetcache: prefetch is set but not working for data originating from the subnet module cache. Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] notice: init module 1: validator Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] notice: init module 2: iterator Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] info: start of service (unbound 1.17.1). Jun 15 22:39:15 klettur-01 systemd[1]: Started unbound.service - Unbound DNS server. Jun 15 22:39:26 klettur-01 unbound[1501]: [1501:0] info: generate keytag query _ta-4f66. NULL IN Jun 15 22:39:36 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:39:36 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:39:36 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:39:36 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:39:41 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:39:52 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:39:52 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:39:52 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:39:52 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:40:18 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:40:18 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:40:32 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:40:32 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:40:32 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:40:56 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:40:56 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:40:56 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:41:12 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:41:12 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading Jun 15 22:41:12 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading The error log entries are related to OpenSSL 3. Related upstream Issue: https://github.com/NLnetLabs/unbound/issues/812 This bug is fixed in upstream commit: https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e Can you please backport the patch to the bookworm package. Regards, Wolfgang