https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162018-06-26T09:29:06ZpfSense bugtrackerpfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=367852018-06-26T09:29:06ZJim Pingle
<ul></ul><p>devel should pick it up naturally here in a week or two when the 2018Q3 branch comes in. FreeBSD ports tree HEAD/master is at unbound 1.7.3.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=368082018-06-29T10:15:38ZJim Pingle
<ul><li><strong>Subject</strong> changed from <i>Update Unbound to 1.7.1 or later to support DNS over TLS verification</i> to <i>DNS over TLS host verification</i></li><li><strong>Assignee</strong> set to <i>Jim Pingle</i></li><li><strong>Target version</strong> set to <i>2.4.4</i></li></ul> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=369172018-07-06T08:53:06ZJim Pingle
<ul></ul><p>Unbound 1.7.3 is in current 2.4.4 snapshots, so this can be added now.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=369252018-07-06T13:20:07ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Add fields for DNS server hostnames for TLS verification. Implements #8602" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/ad08a8242ca45907e0486712d218a5f8f34c7332">ad08a8242ca45907e0486712d218a5f8f34c7332</a>.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=370522018-07-16T11:36:56ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Assigned</i></li></ul><p>So it looks like we are setting up the unbound configuration correctly but it does not appear to be enforcing hostname/cert check.</p>
<pre>
# TLS Configuration
tls-cert-bundle: "/etc/ssl/cert.pem"
[...]
# Forwarding
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 9.9.9.9@853#blah.example.com
forward-addr: 1.0.0.1@853#doesnotexist.com
forward-addr: 149.112.112.112@853#somethingwrong.com
</pre>
<pre>
: clog /var/log/resolver.log | egrep -i '(cert|auth|doesnot)' | tail -4
Jul 16 10:31:12 jack unbound: [29373:0] debug: [doesnotexist.com] ip4 1.0.0.1 port 853 (len 16)
Jul 16 10:31:12 jack unbound: [29373:0] debug: peer certificate: Issuer: C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA Validity Not Before: Mar 30 00:00:00 2018 GMT Not After : Mar 25 12:00:00 2020 GMT Subject: C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=*.cloudflare-dns.com X509v3 extensions: X509v3 Authority Key Identifier: keyid:A3:9D:E6:1F:F9:DA:39:4F:C0:6E:E8:91:CB:95:A5:DA:31:E2:0A:9F X509v3 Subject Key Identifier: DF:97:4D:E5:43:B3:B0:41:A7:42:F2:90:CF:89:7F:AE:12:57:84:E1 X509v3 Subject Alternative Name: DNS:*.cloudflare-dns.com, IP Address:1.1.1.1, IP Address:1.0.0.1, DNS:cloudflare-dns.com, IP Address:2606:4700:4700:0:0:0:0:1111, IP Address:2606:4700:4700:0:0:0:0:1001 X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client
Jul 16 10:31:12 jack unbound: [29373:0] debug: SSL connection authenticated ip4 1.0.0.1 port 853 (len 16)
Jul 16 10:31:12 jack unbound: [29373:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0 ;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: 0.pfsense.pool.ntp.org. IN AAAA ;; ANSWER SECTION: ;; AUTHORITY SECTION: pool.ntp.org. 1500 IN SOA a.ntpns.org. hostmaster.pool.ntp.org. 1531751408 5400 5400 1209600 3600 ;; ADDITIONAL SECTION: ;; MSG SIZE rcvd: 95
</pre>
<p>I thought it may be due to the certificate containing the IP address, but it behaves identically when pointed at a DNS server with a Let's Encrypt cert that only contains a hostname.</p>
<p>Upstream bug opened: <a class="external" href="https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658">https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658</a></p>
<p>If the upstream bug is not addressed before 2.4.4 is released, we may need to disable the options for this code.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=370662018-07-17T07:24:41ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.4.4</i> to <i>2.5.0</i></li><li><strong>% Done</strong> changed from <i>100</i> to <i>90</i></li></ul><p>Per <a class="external" href="https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658">https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=658</a> the verification requires OpenSSL 1.1.x, and FreeBSD 11.2 base OpenSSL is 1.0.x.</p>
<p>This will have to wait until FreeBSD base includes OpenSSL 1.1.x.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=370682018-07-17T07:30:08ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Feedback</i></li><li><strong>% Done</strong> changed from <i>90</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Revert "Add fields for DNS server hostnames for TLS verification. Implements #8602" Per https://..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/e1ad890e581ad76a17af2860b054ce496a0aa56f">e1ad890e581ad76a17af2860b054ce496a0aa56f</a>.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=370692018-07-17T07:31:49ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Assigned</i></li></ul> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=396262018-12-23T04:51:06ZChris Collins
<ul></ul><p>if you guys want this before pfsense 2.5, you only need to compile unbound against openssl 1.1, the system binary can still be an older openssl, which many freebsd configurations actually run like this by using openssl from ports, so basically compiling against a newer openssl from ports whilst still having an older base openssl, now I know pfsense doesnt use freebsd ports, but the basic principle still applies that the unbound pfsense package can be compiled statically against its own openssl 1.1. libraries.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=396282018-12-23T08:43:42ZJim Pingle
<ul></ul><p>We have gone down the road of having multiple OpenSSL instances on the firewall before and it was a pain to maintain, have everything use the correct paths, make sure everything was linked against the expected version, and so on. It also confused users to have two different sets of OpenSSL binaries on the system that behaved differently. We'll stick to what's in the FreeBSD base system. When we move to a FreeBSD 12 base, we'll get OpenSSL 1.1.x automatically.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=399192019-02-06T13:09:28ZJim Pingle
<ul></ul><p>Unbound 1.9.0 added support for verifying hosts on OpenSSL 1.0.2, but it still doesn't seem to work. Unbound 1.9.0 is in 2.4.5 snapshots, and I still get the same failure.</p>
<pre>
Feb 6 11:38:46 jack unbound: [45843:0] error: no name verification functionality in ssl library, ignored name for 9.9.9.9@853#blah.example.com
</pre>
<p>Looking in the source it's failing a check with this:</p>
<pre>
#ifndef HAVE_SSL_SET1_HOST
if(auth_name)
log_err("no name verification functionality in "
"ssl library, ignored name for %s", todo);
#endif
</pre>
<p>There are a couple other checks as well that were not updated.</p>
<p>I patched the checks and it works as expected in a test, I pushed the patches to our ports repo for further testing. I sent the patch to Unbound at <a class="external" href="https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206#c5">https://www.nlnetlabs.nl/bugs-script/show_bug.cgi?id=4206#c5</a></p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=399202019-02-06T13:20:17ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Feedback</i></li></ul><p>Applied in changeset <a class="changeset" title="Add back DNS over TLS host verification code. Fixes #8602 Requires Unbound 1.9.0_1 from pfsense/..." href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/7e8bfed216304b37342a0800eb35ef7c29546f5d">7e8bfed216304b37342a0800eb35ef7c29546f5d</a>.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=399212019-02-06T13:26:23ZJim Pingle
<ul></ul><p>The next build that includes unbound 1.9.0_1 and the changes referenced on this issue will be ready for testing. Using a patched copy compiled locally, it works. It complains about invalid hosts and notes success of valid hosts:</p>
<p>Deliberately bad/mismatched hostname, fails as expected.<br /><pre>
forward-addr: 149.112.112.112@853#somethingwrong.com
</pre><br /><pre>
Feb 6 13:59:26 jack unbound: [40033:0] error: ssl handshake failed crypto error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Feb 6 13:59:26 jack unbound: [40033:0] notice: ssl handshake failed ip4 149.112.112.112 port 853 (len 16)
</pre></p>
<p>Valid hostname is verified and works:<br /><pre>
forward-addr: 9.9.9.9@853#dns.quad9.net
</pre><br /><pre>
Feb 6 13:59:38 jack unbound: [40033:0] debug: peer certificate: Issuer: C=US, O=DigiCert Inc, CN=DigiCert ECC Secure Server CA Validity Not Before: Sep 20 00:00:00 2018 GMT Not After : Sep 24 12:00:00 2020 GMT Subject: C=US, ST=California, L=Berkeley, O=Quad9, CN=*.quad9.net X509v3 extensions: X509v3 Authority Key Identifier: keyid:A3:9D:E6:1F:F9:DA:39:4F:C0:6E:E8:91:CB:95:A5:DA:31:E2:0A:9F X509v3 Subject Key Identifier: 7F:A9:12:A5:D7:C6:8B:48:02:C7:3D:2A:45:6E:40:1E:40:60:F4:97 X509v3 Subject Alternative Name: DNS:*.quad9.net, DNS:quad9.net, IP Address:9.9.9.9, IP Address:9.9.9.10, IP Address:9.9.9.11, IP Address:9.9.9.12, IP Address:9.9.9.13, IP Address:9.9.9.14, IP Address:9.9.9.15, IP Address:149.112.112.9, IP Address:149.112.112.10, IP Address:149.112.112.11, IP Address:149.112.112.12, IP Address:149.112.112.13, IP Address:149.112.112.14, IP Address:149.112.112
Feb 6 13:59:38 jack unbound: [40033:0] debug: SSL connection authenticated ip4 9.9.9.9 port 853 (len 16)
</pre></p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=404242019-04-28T23:49:29ZChris Linstruth
<ul></ul><p>Similar results here. Mismatched FQDN for the server results in a certificate verify error for unbound:<br />Apr 29 04:48:10 unbound 57201 [57201:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed<br />Apr 29 04:48:10 unbound 57201 [57201:0] notice: ssl handshake failed 9.9.9.9 port 853</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=404322019-04-29T07:53:40ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=405162019-05-11T16:47:10ZJim Pingle
<ul><li><strong>Target version</strong> changed from <i>2.5.0</i> to <i>2.4.4-p3</i></li></ul> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=405532019-05-11T18:04:26ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Resolved</i> to <i>Feedback</i></li></ul> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=405832019-05-13T14:41:01ZChris Linstruth
<ul></ul><p>2.4.4-p3:</p>
<p>May 13 19:39:24 unbound 82673:1 error: no name verification functionality in ssl library, ignored name for 149.112.112.112@853#dns.xyzzy.com</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=405842019-05-13T14:44:47ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>Jim Pingle</i> to <i>Renato Botelho</i></li></ul><p>Looks like we'll need to import Unbound 1.9.0</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=405892019-05-13T21:51:30ZChris Linstruth
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Feedback</i></li></ul><p>Looks good with the new build with unbound 1.9.1. Only fails with a bogus hostname defined. Works with either 149.112.112.112 or *.quad9.net which are both CN/SAN in the presented certificate.</p>
<p>Also fails querying another pfSense node providing DNS resolver services with a self-signed certificate matching the configured DNS Hostname/IP address.</p> pfSense - Feature #8602: DNS over TLS host verificationhttps://redmine.pfsense.org/issues/8602?journal_id=406062019-05-14T07:12:25ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul>