Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-147790

Unbound has disabled TLS 1.2 in default configuration

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • rhel-10.2
    • rhel-9.8, rhel-10.2
    • unbound
    • unbound-1.24.2-7.el10
    • Yes
    • Important
    • rhel-net-perf
    • 3
    • False
    • False
    • Hide

      None

      Show
      None
    • Yes
    • None
    • Bug Fix
    • Hide
      Cause: Rebase contained explicit TLS 1.2 version disabling
      Consequence: TLS 1.2 would be disabled on server sockets in unbound providing DNS over TLS server.
      Fix: Unbound were changed to leave TLS protocol disabling on default crypto-policy mode. It makes possible not only to allow TLS 1.2, but also TLS 1.1 in LEGACY policy again.
      Result: Older protocol are accepted on TLS server sockets again and follow crypto-policy.
      Show
      Cause: Rebase contained explicit TLS 1.2 version disabling Consequence: TLS 1.2 would be disabled on server sockets in unbound providing DNS over TLS server. Fix: Unbound were changed to leave TLS protocol disabling on default crypto-policy mode. It makes possible not only to allow TLS 1.2, but also TLS 1.1 in LEGACY policy again. Result: Older protocol are accepted on TLS server sockets again and follow crypto-policy.
    • Proposed
    • Unspecified
    • Unspecified
    • Unspecified
    • None

      What were you trying to do that didn't work?

      Clients without TLS 1.3 support are no longer accepted since rebased unbound. That could be a problem.

      What is the impact of this issue to you?

      This might seem like a regression to any clients

      Please provide the package NVR for which the bug is seen:

      unbound-1.24.2-3.el10

      How reproducible is this bug?:

      100% reliable

      Steps to reproduce

      1. enable tls-port: 853 and specify tls-service-key and tls-service-pem certificate, might be unbound generated one for control channel.
      2. openssl s_client -connect localhost:853 -tls1_2 </dev/null
      3.  

      Expected results

      It works in version unbound-1.20.0-15.el10_1.x86_64

      # openssl s_client -connect localhost:853 -tls1_3 </dev/null || echo "Failed!"
...
read R BLOCK
DONE

      Actual results

      According to upstream changelog, it should not be possible in version 1.24.2 without explicit configuration.

      # openssl s_client -connect localhost:853 -tls1_2 </dev/null || echo "Failed!"
Connecting to ::1
CONNECTED(00000003)
40372EFE067F0000:error:0A00042E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:918:SSL alert number 70
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 175 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Protocol: TLSv1.2
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1770644157
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
Failed!

       

      Created automated test: centos, Sanity/tls-server; https://gitlab.com/redhat/centos-stream/tests/unbound/-/merge_requests/21

       

              pemensik@redhat.com Petr Mensik
              pemensik@redhat.com Petr Mensik
              Petr Mensik Petr Mensik
              Ondrej Mejzlik Ondrej Mejzlik
              Lucie Varakova Lucie Varakova
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: