Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: fix connection issues with some servers #32

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

tls: fix connection issues with some servers #32

wants to merge 1 commit into from

Conversation

Red54
Copy link
Contributor

@Red54 Red54 commented Sep 14, 2024

Before:
$ kdig +short +tls dns.google @1.12.12.12
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.) ;; ERROR: failed to query server 1.12.12.12@853(TCP)

After:
$ kdig +short +tls dns.google @1.12.12.12
8.8.4.4
8.8.8.8

Fixes: bd75c1f (tls: unification of TLS priority settings, 2024-04-26)

@Red54
tls: fix connection issues with some servers
9eb3d8a 
Before:
$ kdig +short +tls dns.google @1.12.12.12
;; WARNING: TLS, handshake failed (A TLS fatal alert has been received.)
;; ERROR: failed to query server 1.12.12.12@853(TCP)

After:
$ kdig +short +tls dns.google @1.12.12.12
8.8.4.4
8.8.8.8

Fixes: bd75c1f (tls: unification of TLS priority settings, 2024-04-26)
Signed-off-by: 谢致邦 (XIE Zhibang) <[email protected]>
@salzmdan
Copy link
Member

What about this solution?

                        {
                                // Establish TLS connection.
                                ret = tls_ctx_setup_remote_endpoint(&net->tls, &dot_alpn, 1,
-                                       KNOT_TLS_PRIORITIES, net_get_remote(net));
+                                       KNOT_TLS_PRIORITIES":+VERS-TLS1.2", net_get_remote(net));
                                if (ret != 0) {
                                        net_close(net);
                                        return ret;

I would prefer keeping KNOT_TLS_PRIORITIES there with this possible exception.

@Red54
Copy link
Contributor Author

Red54 commented Sep 20, 2024

My point is that kdig is a debugging tool rather than a system resolver (like systemd-resolved), and allowing only high-security level connections is meaningless for debugging.

@salzmdan
Copy link
Member

I understand your point, but kdig isn't intended for TLS debugging. In server we support only TLS 1.3 with limited algorithms (similar to QUIC), so it would be confusing if kdig had inconsistent support.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Red54 @salzmdan