dnsdist: TLS 1.3 requires OpenSSL 1.1.1.

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 1f8f64e10286f6df806909d5de7d2a3685e55976..d918d531ccdef062dedd54c3032d1ff1e3a2d1fe 100644 (file)
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -897,7 +897,9 @@ static std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> getTLSContext(const std::vect
     SSL_OP_SINGLE_ECDH_USE;
 
   SSL_CTX_set_options(ctx.get(), sslOptions);
-  libssl_set_min_tls_version(ctx, minTLSVersion);
+  if (!libssl_set_min_tls_version(ctx, minTLSVersion)) {
+    throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(minTLSVersion) + "' for DoH listener");
+  }
 
 #ifdef SSL_CTX_set_ecdh_auto
   SSL_CTX_set_ecdh_auto(ctx.get(), 1);

diff --git a/pdns/dnsdistdist/libssl.cc b/pdns/dnsdistdist/libssl.cc
index d7561578eab8d455b5563dfed3d9e50e038289e4..e77e0dd2239e63bb4af7620a4afd0c24b8cecc53 100644 (file)
--- a/pdns/dnsdistdist/libssl.cc
+++ b/pdns/dnsdistdist/libssl.cc
@@ -281,6 +281,22 @@ LibsslTLSVersion libssl_tls_version_from_string(const std::string& str)
   throw std::runtime_error("Unknown TLS version '" + str);
 }
 
+const std::string& libssl_tls_version_to_string(LibsslTLSVersion version)
+{
+  static const std::map<LibsslTLSVersion, std::string> versions = {
+    { LibsslTLSVersion::TLS10, "tls1.0" },
+    { LibsslTLSVersion::TLS11, "tls1.1" },
+    { LibsslTLSVersion::TLS12, "tls1.2" },
+    { LibsslTLSVersion::TLS13, "tls1.3" }
+  };
+
+  const auto& it = versions.find(version);
+  if (it == versions.end()) {
+    throw std::runtime_error("Unknown TLS version (" + std::to_string((int)version) + ")");
+  }
+  return it->second;
+}
+
 bool libssl_set_min_tls_version(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx, LibsslTLSVersion version)
 {
 #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
@@ -297,7 +313,11 @@ bool libssl_set_min_tls_version(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx
     vers = TLS1_2_VERSION;
     break;
   case LibsslTLSVersion::TLS13:
+#ifdef TLS1_3_VERSION
     vers = TLS1_3_VERSION;
+#else
+    return false;
+#endif /* TLS1_3_VERSION */
     break;
   default:
     return false;

diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc
index c5aa691002be4865b835542a3c554090aa54af35..835b3b395a0ab0f4b57224cb2c8d843cf3b63ff4 100644 (file)
--- a/pdns/dnsdistdist/tcpiohandler.cc
+++ b/pdns/dnsdistdist/tcpiohandler.cc
@@ -409,7 +409,10 @@ public:
     SSL_CTX_set_tlsext_ticket_key_cb(d_tlsCtx.get(), &OpenSSLTLSIOCtx::ticketKeyCb);
     SSL_CTX_set_ex_data(d_tlsCtx.get(), s_ticketsKeyIndex, this);
     SSL_CTX_set_options(d_tlsCtx.get(), sslOptions);
-    libssl_set_min_tls_version(d_tlsCtx, fe.d_minTLSVersion);
+    if (!libssl_set_min_tls_version(d_tlsCtx, fe.d_minTLSVersion)) {
+      throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(fe.d_minTLSVersion) + "' for ths TLS context on " + fe.d_addr.toStringWithPort());
+    }
+
 #if defined(SSL_CTX_set_ecdh_auto)
     SSL_CTX_set_ecdh_auto(d_tlsCtx.get(), 1);
 #endif

diff --git a/pdns/libssl.hh b/pdns/libssl.hh
index b042fe9cf1f33b8a9d13a279b9b3c9c69bbb23da..f0cdd16979f570f8e0a8e138334b605d1a24919d 100644 (file)
--- a/pdns/libssl.hh
+++ b/pdns/libssl.hh
@@ -25,6 +25,7 @@ bool libssl_generate_ocsp_response(const std::string& certFile, const std::strin
 #endif
 
 LibsslTLSVersion libssl_tls_version_from_string(const std::string& str);
+const std::string& libssl_tls_version_to_string(LibsslTLSVersion version);
 bool libssl_set_min_tls_version(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx, LibsslTLSVersion version);
 
 #endif /* HAVE_LIBSSL */