OpenSSL/Stubby issue

pwned · July 17, 2020, 9:00am

Hi,

I made a new snapshot build r13871 today (came from r13500).

I saw that stubby (0.26->0.3) got upgraded.

Stubby is not starting anymore. The only error I get is (log got spammed):

This version of OpenSSL does not support configuring cipher suites.
The library did not have the requested API feature implemented.

My first question: Is this an OpenSSL or a Stubby related issue? Or did I simply missed a package dependency?
I did not found any bug entry so far. But maybe I've missed sth. and it is already in a mailing list? Where is the best place to report this issue if necessary https://bugs.openwrt.org/ or https://github.com/openwrt/packages/issues?

EDIT: I have found this:

and

So it seems a getdns issue. I will try to reconfigure OpenSSL according to that was discussed there.

vgaetera · July 17, 2020, 10:34am

Works for me:

# logread -e stubby
Fri Jul 17 13:27:28 2020 daemon.err stubby[5914]: [10:27:28.384522] STUBBY: Stubby version: Stubby 0.3.0
Fri Jul 17 13:27:29 2020 daemon.err stubby[5914]: [10:27:29.299965] STUBBY: Read config from file /var/etc/stubby/stubby.yml
Fri Jul 17 13:27:29 2020 daemon.err stubby[5914]: [10:27:29.304410] STUBBY: DNSSEC Validation is OFF
Fri Jul 17 13:27:29 2020 daemon.err stubby[5914]: [10:27:29.306555] STUBBY: Transport list is:
Fri Jul 17 13:27:29 2020 daemon.err stubby[5914]: [10:27:29.307977] STUBBY:   - TLS
Fri Jul 17 13:27:29 2020 daemon.err stubby[5914]: [10:27:29.309391] STUBBY: Privacy Usage Profile is Strict (Authentication required)
Fri Jul 17 13:27:29 2020 daemon.err stubby[5914]: [10:27:29.309599] STUBBY: (NOTE a Strict Profile only applies when TLS is the ONLY transport!!)
Fri Jul 17 13:27:29 2020 daemon.err stubby[5914]: [10:27:29.309701] STUBBY: Starting DAEMON....

# netstat -l -n -p -u | grep -e stubby
udp        0      0 127.0.0.1:5453          0.0.0.0:*                           5914/stubby
udp        0      0 ::1:5453                :::*                                5914/stubby

# opkg list-installed | grep -e getdns -e libopenssl -e stubby
getdns - 1.6.0-2
libopenssl1.1 - 1.1.1g-1
stubby - 0.3.0-1

# . /etc/os-release; echo ${BUILD_ID}
r13850-e363470d1a

Perhaps you should make a clean build.

pwned · July 17, 2020, 11:40am

Thx for your reply vgaetera.

Well I've read through the linked threads and it seems it is a getdns issue. The developer is claiming that it is working on his setup compliling on SDK. I'm not using SDK. So I think the reason is probably to search there.

My environment is locally built, packages/x86_64/base/ but it is true libopenssl is a few days old.

I'll do a clean build and see whether there is any difference, although I'm leaning more towards a different openssl build configuration.

But the guy posting this didn't post any result. I'm building for ipq806x on x86_64.

I've compiled with getdns 1.52 now because this setup is to be working according to statements in this threads. I will report back in a few minutes ...

EDIT: stubby is working here with getdns v1.52. That was the only change on my build settings. The most recent version 1.6.0-2 is not working.

pwned · July 17, 2020, 12:22pm

It was built from scratch today. But I have to say that I'm building with:
-O2, glibc, libcstdc, gcc10, binutils2.34

Maybe it is a glibc issue as so often. Because the developer is writing:

I didn't change anything regarding openssl config when building the packages using the SDK, so the packages I used presumably have the "default" configuration for OpenWRT, whatever that is.

For now I will stick with v1.52 and hope the best it will change in future.

sapi69 · July 17, 2020, 12:22pm

im use 18.06.8 and is working fine

getdns - 1.6.0-2
libopenssl - 1.1.1g-1
stubby - 0.3.0-1

pwned · July 19, 2020, 10:16am

After playing around with stubby configfile I found the reason for the error.

It was a line in my stubby config:

tls_ciphersuites: "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

After commenting out the line stubby 1.6.0-2 is working with my buildsettings.

# Set the acceptable ciphers for DNS over TLS.  With OpenSSL 1.1.1 this list is
# for TLS1.2 and older only. Ciphers for TLS1.3 should be set with the
# tls_ciphersuites option. This option can also be given per upstream.
# tls_cipher_list: "EECDH+AESGCM:EECDH+CHACHA20"

# Set the acceptable cipher for DNS over TLS1.3. OpenSSL >= 1.1.1 is required
# for this option. This option can also be given per upstream.
# tls_ciphersuites: #"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"

So the line should work with OpenSSL 1.1.1g. But it doesn't. I'm still not sure which side is causing the error. Getdns or Stubby.

system · July 29, 2020, 10:16am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.