Hello George,
is there anything I could test/check/do to help?
Andreas
HTTP works, HTTPS don't.
Hello George,
is there anything I could test/check/do to help?
Update:
I now setup
* a webserver that
- fetch https://urlhaus.abuse.ch/downloads/rpz/ hourly
- serve that file by http
* an unbound instance
- configured to use the rpz from the http location
Turns out: the zonefile written by unbound, *has* current data
... as expected ...
so only fetch by https is broken somehow.
Hi Andreas,
HTTP works, HTTPS don't.
Hello George,
is there anything I could test/check/do to help?
I am afraid not. I am currently preoccupied with another bug but will get to this right after, will let you know.
Update:
I now setup
* a webserver that
- fetch https://urlhaus.abuse.ch/downloads/rpz/ hourly
- serve that file by http* an unbound instance
- configured to use the rpz from the http locationTurns out: the zonefile written by unbound, *has* current data
... as expected ...so only fetch by https is broken somehow.
Thanks again for clarifying that!
I'll try to replicate with the systems you shared (Debian Bullseye and Debian Buster) and go from there.
-- George
Hi George,
Seems people are having issues with RPZ - can you advise when my particular one will be resolved? Is it the same as the https ones reported below?
Its been a while now...
Thanks.
Ray
Hi Andreas,
I should have caught that earlier since it is a fixed bug but now I had the time to look into it.
I could reproduce it easily with 1.13.1 and it seems you hit this (https://github.com/NLnetLabs/unbound/issues/429) bug which is already fixed on the master branch.
With the latest code from master I cannot reproduce it anymore.
Could you verify?
Best regards,
-- George
Hi RayG,
It was not the same issue; Andreas hit a regression bug on the 1.13.1 release.
Your issue seems to be specifically tied with windows and TLS.
I will try to figure out why next.
Best regards,
-- George
Hello George,
I could reproduce it easily with 1.13.1 and it seems you hit this (https://github.com/NLnetLabs/unbound/issues/429) bug which is already fixed on the master branch.
With the latest code from master I cannot reproduce it anymore.
Could you verify?
yes, I confirm fetching an auth-zone from https://urlhaus.abuse.ch/downloads/rpz/ as well as from my own https server works well.
One side note on disclosing unbound version:
My own webserver's log
2001:db8::53 - - [22/May/2021:00:00:21 +0200] "GET /downloads/rpz HTTP/1.1" 200 210627 "-" "unbound/1.13.2"
The real unbound version is used as http user agent header. This version is disclosed even if
I set 'hide-version: yes' or obfuscate 'version: "foobar/42"'
Maybe the user-agent header could be somehow synchronized with the mentioned settings.
Andreas
Hi Andreas,
Thanks for pointing out!
We have now introduced (on master branch) 'http-user-agent:' and 'hide-http-user-agent:' as new options to better control the User-Agent HTTP header.
Best regards,
-- George
Hi RayG,
The just released 1.13.2 version includes a fix that should solve your problem with downloading the RPZ file via an https url on windows.
The fix was specifically:
- Listen to read or write events after the SSL handshake.
Sticky events on windows would stick on read when write was needed.
Hope that this indeed solves the issue for you, it did in my testing.
Best regards,
-- George