OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: fabian on March 03, 2017, 07:48:19 pm

Title: Dynamic DNS Hardening on 17.1.2+
Post by: fabian on March 03, 2017, 07:48:19 pm
Dear OPNsense users,

on a pull request we got, we found out, that dynamic DNS is having TLS certificate checks disables on most services.
I have tried some of them if the certificate of the service is trusted*.
First of all the good news - most of the tested services are trusted. But there is a downside: Some services experience issues when you use LibreSSL. The Bug is already fixed in LibreSSL but it did not went upstream yet as a production release.

I have enabled the certificate checks again on some services and this will go into the beta series of 17.7 and will be finally released then. In mean time we would be glad to hear some feedback if the patch is working. You may install it on your device via
Code: [Select]
opnsense-patch f0f65fc
Find the full commit here to see which services are affected:
https://github.com/opnsense/core/commit/f0f65fc9ad1d7750bf1cb50d470accab93a9afd5 (https://github.com/opnsense/core/commit/f0f65fc9ad1d7750bf1cb50d470accab93a9afd5)

Stay safe


* tried to use cURL on the command line which should use the same trust store as the scripts of OPNsense.
If you want to test the connection by yourself, run
Code: [Select]
curl -v "https://example.com" -v is for verbose, so the shell will show the result of the HTTPS handshake.

Edit: removed dot from command