Maintained by: NLnet Labs

[Unbound-users] [PATCH] unbound remote control without SSL certificates

Ilya Bakulin
Fri Aug 17 14:05:41 CEST 2012


Hi,
we have another feature suggestion for unbound server :-)

Currently, unbound-control interacts with unbound using SSL-protected IP port. 
For this to function properly, certain SSL-related files should be generated 
and then maintained. These include client and server certificates and private 
keys.
However, when unbound-control and unbound both reside on the same machine, 
then using SSL may be an overkill. Of course, not always :) But in our case, 
when we have a product that contains unbound server and needs to interact 
with it using unbound-control, we would really like to turn SSL off.

Actually, it's enough to use an SSL algorithm that does not require 
authentication, in this case we don't need certificates and keys. A list of 
such algorithms may be seen by typing 'openssl ciphers -v "aNULL"'.

Attached patch forces using any algorithm that doesn't require authentication 
when a certain option is present in the config file. I have called 
it 'control-use-cert', it may be "yes" or "no". With this option it's 
possible to have such configuration:
>>>>>>>>>>>>>>>>>>>>>>>>
remote-control:
        control-enable: yes
        control-use-cert: no
>>>>>>>>>>>>>>>>>>>>>>>>
Note that connection is still encrypted, but not authenticated. And we don't 
need to maintain any additional SSL-related files, that's good :-)

Another approach is disabling SSL completely, but that requires many 
additional if's in the source code, that's why I thought that modifying SSL 
parameters is the way to go.

Please review attached patch and post your suggestions!

Thanks!

--
Best regards,
Ilya Bakulin

genua
Gesellschaft fuer Netzwerk- und Unix-Administration mbH
Domagkstrasse 7, 85551 Kirchheim bei Muenchen
tel +49 89 991950-0, fax -999, www.genua.de
Geschaeftsfuehrer: Dr. Magnus Harlander, Dr. Michaela Harlander,
Bernhard Schneck. Amtsgericht Muenchen HRB 98238
-------------- next part --------------
A non-text attachment was scrubbed...
Name: unbound-nocert.diff
Type: text/x-diff
Size: 11778 bytes
Desc: not available
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20120817/0bc34027/attachment.diff>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: This is a digitally signed message part.
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20120817/0bc34027/attachment.pgp>