Re: [Fwd: Re: request for info: unbound via https / tls]

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [Fwd: Re: request for info: unbound via https / tls]
Date: Tue, 11 Dec 2018 20:43:13 +0100	[thread overview]
Message-ID: <b9773a04f198cfd3ecc0b5562a9a1dfeb1eeff7d.camel@ipfire.org> (raw)
In-Reply-To: <BED9DA78-3B6B-4EE6-849B-6F5BF700689D@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 4540 bytes --]

Hi Michael,
tried that now with this one -->
https://people.ipfire.org/~ummeegge/screenshoots/dns-over-tls_wui.png

... the HTML formatting kills me :D ...

and it looks now good:

$ kdig -d @81.3.27.54 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-host=rec1.dns.lightningwirelabs.com google.com
;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 129 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
;; DEBUG:      SHA-256 PIN: pOvVkJSj6rWNPM0vR3hoJr/21kZI6TfImhowIEdcEUQ=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 1349
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: ; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; google.com.         		IN	A

;; ANSWER SECTION:
google.com.         	151	IN	A	216.58.208.46

;; Received 55 B
;; Time 2018-12-11 20:30:29 CET
;; From 81.3.27.54(a)853(TCP) in 25.2 ms



Great, will update my dot.conf. 

As a beneath one, try it currently with a seperat CGI to have a better overview. 
Patched now as you suggested the 'write_forward_conf()' function, needed to disable 
nevertheless update_forwarder() function in initscript if forward.conf should be used
... (there is more)

Come back if things are cleaned/cleared up a little more but also better tested.

Best,

Erik



Am Dienstag, den 11.12.2018, 19:22 +0000 schrieb Michael Tremer:
> Hey,
> 
> Could you try that again? I removed the OCSP must-staple flag from
> the certificate.
> 
> -Michael
> 
> > On 10 Dec 2018, at 14:37, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Great that you looked over it, have tested it again and the kdig
> > report
> > differs which looks now like this:
> > 
> > ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> > server(81.3.27.54), port(853), protocol(TCP)
> > ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
> > bundle.crt'
> > ;; DEBUG: TLS, received certificate hierarchy:
> > ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> > ;; DEBUG:      SHA-256 PIN:
> > ZayzRhKLRWLL7v9QC0uEJEMomE572oNUuF4ocAxDQ7E=
> > ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
> > ;; DEBUG:      SHA-256 PIN:
> > YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> > ;; DEBUG: TLS, skipping certificate PIN check
> > ;; DEBUG: TLS, The certificate is NOT trusted. The certificate
> > requires
> > the server to include an OCSP status in its response, but the OCSP
> > status is missing. 
> > ;; WARNING: TLS, handshake failed (Error in the certificate.)
> > ;; WARNING: failed to query server 81.3.27.54(a)853(TCP)
> > 
> > Exit status: 0
> > 
> > May this is helpful for you.
> > 
> > Best,
> > 
> > Erik
> > 
> > Am Montag, den 10.12.2018, 13:26 +0000 schrieb Michael Tremer:
> > > Hey,
> > > 
> > > Thanks for reporting.
> > > 
> > > > On 10 Dec 2018, at 12:32, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > > 
> > > > A question,
> > > > what happens with DoT on Lightningwirelabs -->
> > > > 
> > 
> > 
https://www.lightningwirelabs.com/2018/05/03/dns-over-tls-now-available-on-our-resolvers
> > > > ?
> > > > I get there an
> > > > 
> > > > $ kdig -d @81.3.27.54 +tls-ca=/etc/ssl/certs/ca-bundle.crt
> > > > +tls-
> > > > host="ns1.lightningwirelabs.com" google.com;
> > > > ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> > > > server(81.3.27.54), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; WARNING: can't connect to 81.3.27.54(a)853(TCP)
> > > > ;; WARNING: failed to query server 81.3.27.54(a)853(TCP)
> > > 
> > > I recently made a change which caused that unbound didn’t listen
> > > on
> > > the TLS port any more.
> > > 
> > > I fixed that now.
> > > 
> > > The correct host name for that server is
> > > rec1.dns.lightningwirelabs.com.
> > > 
> > > -Michael
> > > 
> > > > .
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> > > > 
> > > 
> > > 
> 
>

next prev parent reply	other threads:[~2018-12-11 19:43 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <1525184928.3530.13.camel@gmail.com>
2018-05-01 14:33 ` Paul Simmons
2018-05-01 14:40   ` Peter Müller
2018-05-01 17:16     ` Paul Simmons
2018-05-03 16:03       ` Michael Tremer
2018-12-02 19:10     ` ummeegge
2018-12-02 20:23       ` Paul Simmons
2018-12-04 14:01         ` ummeegge
2018-12-04 16:19           ` Peter Müller
2018-12-05  7:35             ` ummeegge
2018-12-09 20:08               ` ummeegge
2018-12-10  0:21                 ` Michael Tremer
2018-12-10 11:30                   ` ummeegge
2018-12-10  0:21               ` Michael Tremer
2018-12-10 12:14                 ` ummeegge
2018-12-10 12:32                   ` ummeegge
2018-12-10 13:26                     ` Michael Tremer
2018-12-10 14:37                       ` ummeegge
2018-12-11 19:22                         ` Michael Tremer
2018-12-11 19:43                           ` ummeegge [this message]
2018-12-11 19:54                             ` Michael Tremer
2018-12-12 13:42                               ` ummeegge
2018-12-12 15:25                                 ` Michael Tremer
2018-12-12 17:44                                   ` ummeegge
2018-12-13  6:52                                     ` ummeegge
2018-12-13 16:26                                       ` Michael Tremer
2018-12-10 13:37                   ` Michael Tremer
2018-12-11  2:01                   ` Paul Simmons
2018-12-11 20:09                     ` ummeegge

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b9773a04f198cfd3ecc0b5562a9a1dfeb1eeff7d.camel@ipfire.org \
    --to=ummeegge@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox