Bug#1038243: unbound: error log flooding when unbound is configured with a DNS over TLS upstream server

Tue, 18 Jul 2023 15:39:17 -0700 

tags 1038243 confirmed patch fixed-upstream
thanks

I can confirm this bug. I also stumbled over this after upgrading a machine 
from Bullseye to Bookworm. I can also confirm that the upstream fix (commit 
d7e77611) [1] on top of the unbound package currently found in Debian Bookworm, 
1.17.1-2, fixes the issue for me. I'm attaching the patch that I applied on the 
source package. It's the upstream patch except for the (upstream) documentation 
update (as that doesn't apply nicely on the version found in Bookworm and has 
no functional impact). If anyone wants to try my local binary build (at your 
own risk - no warranty whatsoever!), you can find the packages here [2]. The 
link expires Nov 15, 2023.

Dear Maintainer, it would be nice if you could apply the upstream fix and 
release a new unbound packages via proposed-updates.

Thanks and regards,

Timo

[1] 
https://github.com/NLnetLabs/unbound/commit/d7e776114114c16816570e48ab3a27eedc401a0e
[2] https://cloud.timo-sigurdsson.com/index.php/s/fRp5A99aHJK3Le6
>From d7e776114114c16816570e48ab3a27eedc401a0e Mon Sep 17 00:00:00 2001
From: George Thessalonikefs <[email protected]>
Date: Fri, 17 Mar 2023 14:39:37 +0100
Subject: [PATCH] - Fix #812, fix #846, by using the
 SSL_OP_IGNORE_UNEXPECTED_EOF option   to ignore the unexpected eof while
 reading in openssl >= 3.

---
 util/net_help.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/util/net_help.c b/util/net_help.c
index 54fad6986..de2d771bd 100644
--- a/util/net_help.c
+++ b/util/net_help.c
@@ -1005,6 +1005,16 @@ listen_sslctx_setup(void* ctxt)
 			log_crypto_err("could not set cipher list with SSL_CTX_set_cipher_list");
 	}
 #endif
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+	/* ignore errors when peers do not send the mandatory close_notify
+	 * alert on shutdown.
+	 * Relevant for openssl >= 3 */
+	if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
+		SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
+		log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
+		return 0;
+	}
+#endif
 
 	if((SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE) &
 		SSL_OP_CIPHER_SERVER_PREFERENCE) !=
@@ -1233,6 +1243,17 @@ void* connect_sslctx_create(char* key, char* pem, char* verifypem, int wincert)
 		SSL_CTX_free(ctx);
 		return 0;
 	}
+#endif
+#if defined(SSL_OP_IGNORE_UNEXPECTED_EOF)
+	/* ignore errors when peers do not send the mandatory close_notify
+	 * alert on shutdown.
+	 * Relevant for openssl >= 3 */
+	if((SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF) &
+		SSL_OP_IGNORE_UNEXPECTED_EOF) != SSL_OP_IGNORE_UNEXPECTED_EOF) {
+		log_crypto_err("could not set SSL_OP_IGNORE_UNEXPECTED_EOF");
+		SSL_CTX_free(ctx);
+		return 0;
+	}
 #endif
 	if(key && key[0]) {
 		if(!SSL_CTX_use_certificate_chain_file(ctx, pem)) {

Reply via email to