Maintained by: NLnet Labs

no unbound-control without certificates?

W.C.A. Wijngaards
Thu Nov 3 15:00:47 CET 2016


Hi Andreas,

Unbound sets SSL_CTX_set_cipher_list(rc->ctx, "aNULL") in
daemon/remote.c, you can get the list of aNULL ciphers(1) with
$ openssl ciphers aNULL
For me that is a long list of ciphers.

I do not really know what the correct list is to set here.  It seems
reasonable that authentication has already been handled by dh and unix
socket.

Best regards, Wouter

On 03/11/16 14:38, A. Schulze via Unbound-users wrote:
> 
> Hello,
> 
> after update from 1.5.9 to 1.5.10 "unbound-control reload" no longer work:
> 
> the relevant unbound.conf section:
>     remote-control:
>       control-enable: yes
>       control-interface: /path/to/unbound-control.socket
>       control-use-cert: no
> 
> # ls -la /path/to/unbound-control.socket
> srw-rw---- 1 unbound unbound 0 Nov  3 14:24 /path/to/unbound-control.socket
> 
> # unbound-control reload
> error: SSL handshake failed
> 140666240513792:error:141640B5:SSL
> routines:tls_construct_client_hello:no ciphers
> available:ssl/statem/statem_clnt.c:815:
> 
> Andreas


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20161103/33804f68/attachment.sig>