RE: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Klaus Darilion via bind-users
I think I have solved the mistery: Bind (or openssl, who ever does the validation) requires Subject Alternative Name. Regardless if using the hostname or the IP address, they must be in the subject alternative name. When using self-signed certificates, it is probably best to put both in the SAN.

Re: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Petr Špaček
I think I have solved the mistery: Bind (or openssl, who ever does the validation) requires Subject Alternative Name. Regardless if using the hostname or the IP address, they must be in the subject alternative name. When using self-signed certificates, it is probably best to put both in the SAN

Re: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Robert Wagner
I see this note and some examples on this page that include the DNS: option: http://wiki.cacert.org/FAQ/subjectAltName FAQ/subjectAltName (SAN) What is subjectAltName ? subjectAltName specifies additional subject identities, but for host names (and everything else defined for subjectAltName) :

RE: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Klaus Darilion via bind-users
> -Original Message- > From: Petr Špaček > Sent: Tuesday, March 4, 2025 6:11 PM > To: Robert Wagner ; Klaus Darilion > > Cc: bind-us...@isc.org > Subject: Re: XoT Testing: TLS peer certificate verification failed > > > I think I have solved the mistery: Bind (or openssl, who ever does th

Re: Questions about CVE-2024-11187

2025-03-04 Thread Petr Špaček
On 04. 03. 25 9:53, Laszlo Szollosi wrote: Many thanks for your response. By mitigation, I mean we have seen an increase in resource utilization, but it would have been much worse without the 'minimal-responses' setting (reduced impact). By prevention, I mean we would not have had the impact a

Re: Is there any config to disable bind9 retry for rcode refused

2025-03-04 Thread Mark Andrews
Returning REFUSED to ANY is anti-pmsocial as it requires every resolver in the world to special case this  There are better mechanisms to deal with it like returning TC=1 or BADCOOKIE if there is only a client cookie or returning one of the RRsets at the name. -- Mark AndrewsOn 4 Mar 2025, at 18:21

Re: Questions about CVE-2024-11187

2025-03-04 Thread Laszlo Szollosi
Hi Petr, Many thanks for your response. By mitigation, I mean we have seen an increase in resource utilization, but it would have been much worse without the 'minimal-responses' setting (reduced impact). By prevention, I mean we would not have had the impact at all. By a spike, I mean the CPU util

Re: Questions about CVE-2024-11187

2025-03-04 Thread Laszlo Szollosi
Hi Petr, Thank you for the quick response. Yes, I said it before, the utilization stayed high. :) I checked it now and I can see increased network traffic, memory and disk utilization for the same time period. Kind Regards, Laszlo On Tue, 4 Mar 2025 at 09:14, Petr Špaček wrote: > On 04. 03. 25

Re: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Ondřej Surý
Sounds like this: https://gitlab.isc.org/isc-projects/bind9/-/issues/3896--Ondřej Surý — ISC (He/Him)My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.On 4. 3. 2025, at 10:01, Klaus Darilion via bind-users wrote:

RE: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Klaus Darilion via bind-users
May it be, that the validation is just broken? Even when using dig, and explicitely use the hostname of the Primary (which uses its hostname in its certificate) in @... and tls-hostname, the verification fails due to hostname mismatch: # dig @xot-test-primary.ops.nic.at test.klaus +tls axfr +tl

RE: XoT Testing: TLS peer certificate verification failed

2025-03-04 Thread Klaus Darilion via bind-users
In my case it should not be SNI relevant, as the server only has 1 certificate to present. Anyways, I will now test with a certificate that uses the IP address in the Subject CN. Regards Klaus -- Klaus Darilion, Head of Operations nic.at GmbH, Jakob-Haringer-Straße 8/V 5020 Salzburg, Austria F