Dynamic DNS Hardening on 17.1.2+

Started by fabian, March 03, 2017, 07:48:19 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 03, 2017, 07:48:19 PM Last Edit: March 03, 2017, 09:53:03 PM by fabian
Dear OPNsense users,

on a pull request we got, we found out, that dynamic DNS is having TLS certificate checks disables on most services.
I have tried some of them if the certificate of the service is trusted*.
First of all the good news - most of the tested services are trusted. But there is a downside: Some services experience issues when you use LibreSSL. The Bug is already fixed in LibreSSL but it did not went upstream yet as a production release.

I have enabled the certificate checks again on some services and this will go into the beta series of 17.7 and will be finally released then. In mean time we would be glad to hear some feedback if the patch is working. You may install it on your device via
Code Select
opnsense-patch f0f65fc

Find the full commit here to see which services are affected:
https://github.com/opnsense/core/commit/f0f65fc9ad1d7750bf1cb50d470accab93a9afd5

Stay safe

Fabian


* tried to use cURL on the command line which should use the same trust store as the scripts of OPNsense.
If you want to test the connection by yourself, run
Code Select
curl -v "https://example.com"
-v is for verbose, so the shell will show the result of the HTTPS handshake.

Edit: removed dot from command
Print
Go Up Pages1
User actions