Ralph Dolmans via Unbound-users:
Are you using OpenSSL 1.1? Apparently it introduced security levels and by default doesn't allow aNULL ciphers. I just commited a version to our repository that sets the security level to 0 for the remote control ssl context when control-use-cert is no.
confirmed. for reference I attache my minimalistic, not portable patch... Andreas
Description: allow NULL-encryption on remote-control via AF_UNIX URL: https://unbound.net/pipermail/unbound-users/2016-November/004517.html Author: Raplh Dolmans --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: unbound-1.5.10/daemon/remote.c =================================================================== --- unbound-1.5.10.orig/daemon/remote.c +++ unbound-1.5.10/daemon/remote.c @@ -243,6 +243,7 @@ daemon_remote_create(struct config_file* if (cfg->remote_control_use_cert == 0) { /* No certificates are requested */ + SSL_CTX_set_security_level(rc->ctx, 0); if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL")) { log_crypto_err("Failed to set aNULL cipher list"); daemon_remote_delete(rc); Index: unbound-1.5.10/smallapp/unbound-control.c =================================================================== --- unbound-1.5.10.orig/smallapp/unbound-control.c +++ unbound-1.5.10/smallapp/unbound-control.c @@ -176,6 +176,7 @@ setup_ctx(struct config_file* cfg) free(c_cert); } else { /* Use ciphers that don't require authentication */ + SSL_CTX_set_security_level(ctx, 0); if(!SSL_CTX_set_cipher_list(ctx, "aNULL")) ssl_err("Error setting NULL cipher!"); }
