4. DNS over TLS with SSL validation is working in 2.4.4-RELEASE!!!

DNS over TLS with SSL validation is working in 2.4.4-RELEASE!!!

  • B

    Unbound in 2.4.4-RELEASE has apparently been updated to a version containing the new code to check certificates on peers when using DNS over TLS. To activate this functionality, the following should be added to the custom options section:

    server:
    tls-cert-bundle: /usr/local/share/certs/ca-root-nss.crt

    There should be a toggle in the GUI to activate this option.

    Here is what a validation looks like with logging set to "4" and newest entries first:

    0_1538301738314_Screen Shot 2018-09-30 at 5.59.44 AM.png

    Reference:
    https://www.ctrl.blog/entry/unbound-tls-forwarding

    1
  • Rebel Alliance Developer Netgate

    It looks nice but it isn't actually doing anything. It won't reject a failure like it should.

    See https://redmine.pfsense.org/issues/8030

    It silently approves everything, even if it doesn't match.

    1
  • B

    Yes, this is true, but I'm excited to see that things are moving in the right direction. It is still possible to confirm certs visually in the logs. This feature will be a huge asset when the code matures. I'm not sure how fast the features will make it into pfSense absent another rebase. I'm hoping that FreeBSD sees fit to propagate the code back, but I don't know their policies on backporting features like that.

    0
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy