From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 28 Aug 2019 09:03:44 +0000 (+0200)
Subject: dnsdist: TLS 1.3 requires OpenSSL 1.1.1.
X-Git-Tag: dnsdist-1.4.0-rc2~6^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=656a5e55369073a9fea8d349a06947c484998e9d;p=pdns

dnsdist: TLS 1.3 requires OpenSSL 1.1.1.
---

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 1f8f64e10..d918d531c 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -897,7 +897,9 @@ static std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)> getTLSContext(const std::vect
     SSL_OP_SINGLE_ECDH_USE;
 
   SSL_CTX_set_options(ctx.get(), sslOptions);
-  libssl_set_min_tls_version(ctx, minTLSVersion);
+  if (!libssl_set_min_tls_version(ctx, minTLSVersion)) {
+    throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(minTLSVersion) + "' for DoH listener");
+  }
 
 #ifdef SSL_CTX_set_ecdh_auto
   SSL_CTX_set_ecdh_auto(ctx.get(), 1);
diff --git a/pdns/dnsdistdist/libssl.cc b/pdns/dnsdistdist/libssl.cc
index d7561578e..e77e0dd22 100644
--- a/pdns/dnsdistdist/libssl.cc
+++ b/pdns/dnsdistdist/libssl.cc
@@ -281,6 +281,22 @@ LibsslTLSVersion libssl_tls_version_from_string(const std::string& str)
   throw std::runtime_error("Unknown TLS version '" + str);
 }
 
+const std::string& libssl_tls_version_to_string(LibsslTLSVersion version)
+{
+  static const std::map<LibsslTLSVersion, std::string> versions = {
+    { LibsslTLSVersion::TLS10, "tls1.0" },
+    { LibsslTLSVersion::TLS11, "tls1.1" },
+    { LibsslTLSVersion::TLS12, "tls1.2" },
+    { LibsslTLSVersion::TLS13, "tls1.3" }
+  };
+
+  const auto& it = versions.find(version);
+  if (it == versions.end()) {
+    throw std::runtime_error("Unknown TLS version (" + std::to_string((int)version) + ")");
+  }
+  return it->second;
+}
+
 bool libssl_set_min_tls_version(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx, LibsslTLSVersion version)
 {
 #if (OPENSSL_VERSION_NUMBER >= 0x1010000fL && !defined LIBRESSL_VERSION_NUMBER)
@@ -297,7 +313,11 @@ bool libssl_set_min_tls_version(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx
     vers = TLS1_2_VERSION;
     break;
   case LibsslTLSVersion::TLS13:
+#ifdef TLS1_3_VERSION
     vers = TLS1_3_VERSION;
+#else
+    return false;
+#endif /* TLS1_3_VERSION */
     break;
   default:
     return false;
diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc
index c5aa69100..835b3b395 100644
--- a/pdns/dnsdistdist/tcpiohandler.cc
+++ b/pdns/dnsdistdist/tcpiohandler.cc
@@ -409,7 +409,10 @@ public:
     SSL_CTX_set_tlsext_ticket_key_cb(d_tlsCtx.get(), &OpenSSLTLSIOCtx::ticketKeyCb);
     SSL_CTX_set_ex_data(d_tlsCtx.get(), s_ticketsKeyIndex, this);
     SSL_CTX_set_options(d_tlsCtx.get(), sslOptions);
-    libssl_set_min_tls_version(d_tlsCtx, fe.d_minTLSVersion);
+    if (!libssl_set_min_tls_version(d_tlsCtx, fe.d_minTLSVersion)) {
+      throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(fe.d_minTLSVersion) + "' for ths TLS context on " + fe.d_addr.toStringWithPort());
+    }
+
 #if defined(SSL_CTX_set_ecdh_auto)
     SSL_CTX_set_ecdh_auto(d_tlsCtx.get(), 1);
 #endif
diff --git a/pdns/libssl.hh b/pdns/libssl.hh
index b042fe9cf..f0cdd1697 100644
--- a/pdns/libssl.hh
+++ b/pdns/libssl.hh
@@ -25,6 +25,7 @@ bool libssl_generate_ocsp_response(const std::string& certFile, const std::strin
 #endif
 
 LibsslTLSVersion libssl_tls_version_from_string(const std::string& str);
+const std::string& libssl_tls_version_to_string(LibsslTLSVersion version);
 bool libssl_set_min_tls_version(std::unique_ptr<SSL_CTX, void(*)(SSL_CTX*)>& ctx, LibsslTLSVersion version);
 
 #endif /* HAVE_LIBSSL */