subject:"Bug#1038243\: unbound\: error log flooding when unbound is configured with a DNS over TLS upstream server"

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

2023-09-16 Thread Michael Tokarev


Speaking of stable p-u, it'd be interesting to fix the two new bugs
in there too, which I haven't noticed before your friendly ping
(apparently something's wrong with my subscription to bugs) --
#1051817 and #1051818. Should be easy to fix, lemme take a look..

/mjt

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

2023-09-16 Thread Michael Tokarev


16.09.2023 22:34, Timo Sigurdsson wrote:

Dear maintainers,

could you please also backport the fix for this issue to the current stable 
distribution via the proposed-updates channel? The next point release for 
bookworm is scheduled for October 7. I really hope the fix for this annoying 
issue makes it into the next point release.


Yeah, it is scheduled for the next debian stable point release already,
I picked it up at the same time I did 1.18.0 packaging for debian.

I have to file a stable-proposed-updates report for it though, which
I forgot to do.  Doing it now.

Thanks!

/mjt

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

2023-09-16 Thread Timo Sigurdsson

Dear maintainers,

could you please also backport the fix for this issue to the current stable 
distribution via the proposed-updates channel? The next point release for 
bookworm is scheduled for October 7. I really hope the fix for this annoying 
issue makes it into the next point release.

Thank you and kind regards,

Timo

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

2023-07-18 Thread Timo Sigurdsson

tags 1038243 confirmed patch fixed-upstream
thanks

I can confirm this bug. I also stumbled over this after upgrading a machine 
from Bullseye to Bookworm. I can also confirm that the upstream fix (commit 
d7e77611) [1] on top of the unbound package currently found in Debian Bookworm, 
1.17.1-2, fixes the issue for me. I'm attaching the patch that I applied on the 
source package. It's the upstream patch except for the (upstream) documentation 
update (as that doesn't apply nicely on the version found in Bookworm and has 
no functional impact). If anyone wants to try my local binary build (at your 
own risk - no warranty whatsoever!), you can find the packages here [2]. The 
link expires Nov 15, 2023.

Dear Maintainer, it would be nice if you could apply the upstream fix and 
release a new unbound packages via proposed-updates.

Thanks and regards,

Timo

[1] 
https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e
[2] https://cloud.timo-sigurdsson.com/index.php/s/fRp5A99aHJK3Le6>From d7e776114114c16816570e48ab3a27eedc401a0e Mon Sep 17 00:00:00 2001
From: George Thessalonikefs 
Date: Fri, 17 Mar 2023 14:39:37 +0100
Subject: [PATCH] - Fix #812, fix #846, by using the
 SSL_OP_IGNORE_UNEXPECTED_EOF option   to ignore the unexpected eof while
 reading in openssl >= 3.

---
 util/net_help.c | 21 +
 1 file changed, 21 insertions(+)

diff --git a/util/net_help.c b/util/net_help.c
index 54fad6986..de2d771bd 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1005,6 +1005,16 @@ listen_sslctx_setup(void* ctxt)
 			log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
 	}
 #endif
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+	/* ignore errors when peers do not send the mandatory close_notify
+	 * alert on shutdown.
+	 * Relevant for openssl >= 3 */
+	if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
+		SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
+		log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
+		return 0;
+	}
+#endif
 
 	if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
 		SSL_OP_CIPHER_SERVER_PREFERENCE) !=
@@ -1233,6 +1243,17 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
 		SSL_CTX_free(ctx);
 		return 0;
 	}
+#endif
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+	/* ignore errors when peers do not send the mandatory close_notify
+	 * alert on shutdown.
+	 * Relevant for openssl >= 3 */
+	if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
+		SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
+		log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
+		SSL_CTX_free(ctx);
+		return 0;
+	}
 #endif
 	if(key && key[0]) {
 		if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

2023-06-16 Thread Wolfgang

Package: unbound
Version: 1.17.1-2
Severity: important
Hello,
I upgraded from bullseye to bookworm and after the upgrade unbound in version 
1.17.1-2 is flooding the journal with the error messages."error: could not 
SSL_read crypto error:0A000126:SSL routines::unexpected eof while reading“. 
Unbound is configured with DNS over TLS forward addresses 
(forward-ssl-upstream: yes).
journal entries:
journalctl -b -u unbound.service
Jun 15 22:39:13 klettur-01 systemd[1]: Starting unbound.service - Unbound DNS 
server...
Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] notice: init module 0: 
subnetcache
Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] warning: subnetcache: 
serve-expired is set but not working for data originating from the subnet 
module cache.
Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] warning: subnetcache: 
prefetch is set but not working for data originating from the subnet module 
cache.
Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] notice: init module 1: 
validator
Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] notice: init module 2: 
iterator
Jun 15 22:39:15 klettur-01 unbound[1501]: [1501:0] info: start of service 
(unbound 1.17.1).
Jun 15 22:39:15 klettur-01 systemd[1]: Started unbound.service - Unbound DNS 
server.
Jun 15 22:39:26 klettur-01 unbound[1501]: [1501:0] info: generate keytag query 
_ta-4f66. NULL IN
Jun 15 22:39:36 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:39:36 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:39:36 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:39:36 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:39:41 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:39:52 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:39:52 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:39:52 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:39:52 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:40:18 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:40:18 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:40:32 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:40:32 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:40:32 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:40:56 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:40:56 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:40:56 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:41:12 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:41:12 klettur-01 unbound[1501]: [1501:0] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading
Jun 15 22:41:12 klettur-01 unbound[1501]: [1501:1] error: could not SSL_read 
crypto error:0A000126:SSL routines::unexpected eof while reading

The error log entries are related to OpenSSL 3.
Related upstream Issue:
https://github.com/NLnetLabs/unbound/issues/812
This bug is fixed in upstream commit:
https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e
Can you please backport the patch to the bookworm package.
Regards,
Wolfgang

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

5 matches

Site Navigation

Mail list logo

Footer information