Dynamic DNS Hardening on 17.1.2+

[fabian]

Dear OPNsense users,

on a pull request we got, we found out, that dynamic DNS is having TLS certificate checks disables on most services.
I have tried some of them if the certificate of the service is trusted*.
First of all the good news - most of the tested services are trusted. But there is a downside: Some services experience issues when you use LibreSSL. The Bug is already fixed in LibreSSL but it did not went upstream yet as a production release.

I have enabled the certificate checks again on some services and this will go into the beta series of 17.7 and will be finally released then. In mean time we would be glad to hear some feedback if the patch is working. You may install it on your device via

Code: [Select]

opnsense-patch f0f65fc
Find the full commit here to see which services are affected:
https://github.com/opnsense/core/commit/f0f65fc9ad1d7750bf1cb50d470accab93a9afd5

Stay safe

Fabian


* tried to use cURL on the command line which should use the same trust store as the scripts of OPNsense.
If you want to test the connection by yourself, run

Code: [Select]

curl -v "https://example.com" -v is for verbose, so the shell will show the result of the HTTPS handshake.

Edit: removed dot from command