Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bugs/notes related to Mutual TLS #364

Open
k0ekk0ek opened this issue Jul 29, 2024 · 2 comments
Open

Bugs/notes related to Mutual TLS #364

k0ekk0ek opened this issue Jul 29, 2024 · 2 comments
Labels

Comments

@k0ekk0ek
Copy link

Andreas Schulze provided some feedback on the Mutual TLS feature on the nsd-users mailing list.

  • I used an IPv6 network for my zone transfer tests and have the impression, the outgoing-interface statement at the secondary is not working if AXFR-over-tls is used.

  • While trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch"
    It would be helpful to see there "... hostname mismatch: expected 'foo', got 'bar'"

  • After "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" I also saw "error: xfrd: TLS handshake failed: Success"

@k0ekk0ek k0ekk0ek added the bug label Jul 29, 2024
@bilias
Copy link
Contributor

bilias commented Aug 1, 2024

Andreas Schulze provided some feedback on the Mutual TLS feature on the
nsd-users mailing list.

* While trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: 
  TLS verify failed - (62) depth: 0 error: hostname mismatch"
  It would be helpful to see there "... 
  hostname mismatch: expected 'foo', got 'bar'"

This is captured in DEBUG

nsd/options.c

Lines 2257 to 2259 in b88421b

if (pos == len) {
DEBUG(DEBUG_XFRD, 2, (LOG_INFO,
"SAN %*s does not match acl for %s", len, str, acl_cert_cn));

and

nsd/options.c

Lines 2315 to 2317 in b88421b

if (pos == len) {
DEBUG(DEBUG_XFRD, 2, (LOG_INFO,
"CN %*s does not match acl for %s", len, common_name_str, acl_cert_cn));

I run my devel SSL code with
#undef NDEBUG /**/ in config.h (after configure)

With nsd options -V100 -F 0x0020U -L100
I get:

2024-08-02 01:20:55.086] nsd[1029706]: info: CN s3.example.com does not match acl for s2.example.com
[2024-08-02 01:20:55.086] nsd[1029706]: warning: client cert does not match tls-master s2.example.com
[2024-08-02 01:20:55.086] nsd[1029706]: info: axfr for example.com. from 127.0.0.1 refused, no acl matches
[2024-08-02 01:20:55.086] nsd[1029706]: info: axfr refused, no acl matches

Maybe we put those two in VERBOSITY LOG instead of DEBUG?
#369

@bilias
Copy link
Contributor

bilias commented Aug 1, 2024

* I used an IPv6 network for my zone transfer tests and have the impression, 
  the outgoing-interface statement at the secondary is not working
  if AXFR-over-tls is used.

per manual page:

       outgoing-interface: <ip-address>
              Access  control list. The listed address is used to request AXFR|IXFR
              (in case of a secondary) or used to send notifies (in case of a  pri‐
              mary).
  • secondary (client side)
    There was only a minor modification on the client side, a87e820 so this is probably not related to the TLS-AUTH code (server side).

  • notifies (server side)
    Didn't touch notifies. It was in my TODO plans, but after reading that nsd only supports UDP it make thinks a little harder for this. If TCP is enabled, then this is quite easy to implement Support Mutual TLS for outgoing NOTIFY #365

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants