TLS and local unbound-control

[W.C.A. Wijngaards]

Hi Marc,

On 04/05/18 23:19, Simon Deziel via Unbound-users wrote:
> On 2018-05-04 04:41 PM, Marc Branchaud wrote:
>> On 2018-05-04 04:21 PM, Simon Deziel via Unbound-users wrote:
>>> Hi Marc,
>>>
>>> On 2018-05-04 04:12 PM, Marc Branchaud via Unbound-users wrote:
>>>> So I'd like to request that: (a) unbound-control avoids using TLS when
>>>> communicating over a local socket
>>> You can use "control-use-cert: no" in the remote-control section.

The code tries to set the eNULL cipher, that would not have the
slowdown.  In openssl 1.1.0 it then sets SSL_CTX_set_security_level(0)
and this allows the eNULL cipher.  At 1.0.0 that call is not available.
At 1.1.1 the TLSv1.3 doesn't allow eNULL, or securitylevel0, and the
code sets TLSv1.2 too.

So, if you upgrade openssl, the problem may go away, as eNULL likely
doesn't tax the machine so much.  An option to not write lines to log
when the stats timeout is reached is certainly possible;
shm-squelch-stats-to-log or so?  Or should shm enabled always squelch
stats written to log, unless verbosity is suitably high (4 or so) ?

Best regards, Wouter

>>
>> (Sorry for the duplicate, Simon -- replying to the list this time.)
>>
>> Thanks, I'd neglected to mention my remote config.  I do have that
>> already set to no:
>>
>>     remote-control:
>>         control-enable: yes
>>         control-use-cert: no
> 
> I just tested "control-use-cert: no" locally. `unbound-control status`
> says "options: control(ssl)" but strace'ing the process shows no access
> to the control cert/key. Toggling it to yes shows it in strace. So it
> seems to work here despite having misleading status output.
> 
> Simon
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20180507/972c1697/attachment.bin>