Bug 1259 - "--disable-ecdsa" argument overwritten by "#ifdef SHA256_DIGEST_LENGTH@daemon/remote.c"
"--disable-ecdsa" argument overwritten by "#ifdef SHA256_DIGEST_LENGTH@daemon...
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.6.2
Sun other
: P5 minor
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-30 10:58 CEST by Kunitaka Namba
Modified: 2017-05-01 09:35 CEST (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Kunitaka Namba 2017-04-30 10:58:33 CEST
Use "--disable-ecdsa":

$ ./configure --prefix=/usr/local/unbound CFLAGS="-I/usr/local/include -m64" \
LDFLAGS="-L/usr/local/lib:/usr/lib/64 -R/usr/local/lib:/usr/lib/64 -m64" \
--enable-event-api --with-libevent --disable-gost --disable-ecdsa


Start unbound Errors:

# /usr/local/unbound/sbin/unbound
Apr 30 16:06:19 unbound[13524:0] error: coult not set cipher list with SSL_CTX_set_cipher_list crypto error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match *
Apr 30 16:06:19 unbound[13524:0] error: Error in SSL_CTX_ecdh_auto, not enabling ECDHE crypto error:00000000:lib(0):func(0):reason(0)


unbound-control Errors:

# /usr/local/unbound/sbin/unbound-control stats
error: SSL handshake failed
18446744071123342328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:

* uncontrollable...


Better it was changed to... add defined(USE_ECDSA) check

$ diff daemon/remote.c daemon/remote.c.org
263c263
< #if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
---
> #ifdef SHA256_DIGEST_LENGTH


Changed:

# /usr/local/unbound/sbin/unbound
Apr 30 17:51:05 unbound[51454:0] error: Error in SSL_CTX_ecdh_auto, not enabling ECDHE crypto error:00000000:lib(0):func(0):reason(0)

# /usr/local/unbound/sbin/unbound-control status
version: 1.6.2
verbosity: 1
threads: 8
modules: 2 [ validator iterator ]
uptime: 94 seconds
options: control(ssl)
unbound (pid 48384) is running...
Comment 1 Kunitaka Namba 2017-05-01 01:28:02 CEST
$ diff -u daemon/remote.c daemon/remote.c.org
--- daemon/remote.c     2017-04-30 17:44:46.034311993 +0900
+++ daemon/remote.c.org 2017-04-30 17:44:00.978316721 +0900
@@ -260,7 +260,7 @@
                return NULL;
        }
 #endif
-#if defined(SHA256_DIGEST_LENGTH) && defined(USE_ECDSA)
+#ifdef SHA256_DIGEST_LENGTH
        /* if we have sha256, set the cipher list to have no known vulns */
        if(!SSL_CTX_set_cipher_list(rc->ctx, "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"))
                log_crypto_err("coult not set cipher list with SSL_CTX_set_cipher_list");
Comment 2 Wouter Wijngaards 2017-05-01 09:35:38 CEST
Hi Kunitaka Namba,

Thank you for the patch.  I have applied it to solve the problem.

Best regards, Wouter