Bugs/notes related to Mutual TLS

[k0ekk0ek]

Andreas Schulze provided some feedback on the Mutual TLS feature on the nsd-users mailing list.

• I used an IPv6 network for my zone transfer tests and have the impression, the outgoing-interface statement at the secondary is not working if AXFR-over-tls is used.

• While trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch"
  It would be helpful to see there "... hostname mismatch: expected 'foo', got 'bar'"

• After "error: xfrd tls: TLS verify failed - (62) depth: 0 error: hostname mismatch" I also saw "error: xfrd: TLS handshake failed: Success"

[bilias]

Andreas Schulze provided some feedback on the Mutual TLS feature on the
nsd-users mailing list.

* While trying to get AXFR-over-tls working, I saw errors like "error: xfrd tls: 
  TLS verify failed - (62) depth: 0 error: hostname mismatch"
  It would be helpful to see there "... 
  hostname mismatch: expected 'foo', got 'bar'"

This is captured in DEBUG

nsd/options.c

Lines 2257 to 2259 in b88421b

	if (pos == len) {
	DEBUG(DEBUG_XFRD, 2, (LOG_INFO,
	"SAN %*s does not match acl for %s", len, str, acl_cert_cn));

and

nsd/options.c

Lines 2315 to 2317 in b88421b

	if (pos == len) {
	DEBUG(DEBUG_XFRD, 2, (LOG_INFO,
	"CN %*s does not match acl for %s", len, common_name_str, acl_cert_cn));

I run my devel SSL code with
#undef NDEBUG /**/ in config.h (after configure)

With nsd options -V100 -F 0x0020U -L100
I get:

2024-08-02 01:20:55.086] nsd[1029706]: info: CN s3.example.com does not match acl for s2.example.com
[2024-08-02 01:20:55.086] nsd[1029706]: warning: client cert does not match tls-master s2.example.com
[2024-08-02 01:20:55.086] nsd[1029706]: info: axfr for example.com. from 127.0.0.1 refused, no acl matches
[2024-08-02 01:20:55.086] nsd[1029706]: info: axfr refused, no acl matches

Maybe we put those two in VERBOSITY LOG instead of DEBUG?
#369

[bilias]

* I used an IPv6 network for my zone transfer tests and have the impression, 
  the outgoing-interface statement at the secondary is not working
  if AXFR-over-tls is used.

per manual page:

       outgoing-interface: <ip-address>
              Access  control list. The listed address is used to request AXFR|IXFR
              (in case of a secondary) or used to send notifies (in case of a  pri‐
              mary).

• secondary (client side)
  There was only a minor modification on the client side, a87e820 so this is probably not related to the TLS-AUTH code (server side).

• notifies (server side)
  Didn't touch notifies. It was in my TODO plans, but after reading that nsd only supports UDP it make thinks a little harder for this. If TCP is enabled, then this is quite easy to implement Support Mutual TLS for outgoing NOTIFY #365