Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild

Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild
Add recipe for adding custom server
2025-07-23 19:24:40 +00:00 · 2025-01-16 16:01:04 +00:00 · 2024-11-20 17:07:11 +01:00 · 2024-09-10 18:11:40 +02:00 · 2024-07-17 21:12:32 +00:00 · 2024-01-24 09:39:09 +00:00
3 changed files with 96 additions and 0 deletions
--- a/dnssec-trigger-0.17-openssl-3.2.patch
+++ b/dnssec-trigger-0.17-openssl-3.2.patch
@ -0,0 +1,34 @@
+From 7c3ff5b59952bc6bf11f988c9dbd961ae3c626ea Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Tue, 10 Sep 2024 16:22:07 +0200
+Subject: [PATCH] Mark explicitly server cert with CA flag
+
+Since OpenSSL 3.2 it did not connect from control to server cert. Create
+server with indication is it CA.
+
+Also use clientAuth trust for CA cert. That allows control cert to be
+used for client authentication.
+---
+ dnssec-trigger-control-setup.sh.in | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec-trigger-control-setup.sh.in b/dnssec-trigger-control-setup.sh.in
+index 7cc305a..eede665 100644
+--- a/dnssec-trigger-control-setup.sh.in
+++ b/dnssec-trigger-control-setup.sh.in
+@@ -200,9 +200,9 @@ EOF
+ test -f request.cfg || error "could not create request.cfg"
+ 
+ echo "create $SVR_BASE.pem (self signed certificate)"
+-openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+-# create trusted usage pem
+-openssl x509 -in $SVR_BASE.pem -addtrust serverAuth -out $SVR_BASE"_trust.pem"
+openssl req -key $SVR_BASE.key -config request.cfg  -new -x509 -days $DAYS -addext "basicConstraints=critical,CA:TRUE,pathlen:0" -out $SVR_BASE.pem || error "could not create $SVR_BASE.pem"
+# create trusted usage pem for CA, what are signed certs allowed to do?
+openssl x509 -in "$SVR_BASE.pem" -addtrust clientAuth -out "${SVR_BASE}_trust.pem"
+ 
+ # create client request and sign it, piped
+ cat >request.cfg <<EOF
+-- 
+2.46.0
+
--- a/dnssec-trigger-0.17-server-recipe.patch
+++ b/dnssec-trigger-0.17-server-recipe.patch
@ -0,0 +1,59 @@
+From f6b4cd17294d8faa8fd4d70110ac9da9916e7d61 Mon Sep 17 00:00:00 2001
+From: Petr Mensik <pemensik@redhat.com>
+Date: Wed, 20 Nov 2024 16:58:48 +0100
+Subject: [PATCH] Add recipe for adding own server
+
+Until someone adds nice support for using just CA bundle and server
+name, allow specification by fingerprint obtained manually. Do not rely
+only on server provided by upstream.
+---
+ dnssec.conf     | 4 ++--
+ example.conf.in | 6 +++++-
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+diff --git a/dnssec.conf b/dnssec.conf
+index bf896d3..4726ca1 100644
+--- a/dnssec.conf
+++ b/dnssec.conf
+@@ -38,7 +38,7 @@
+ #
+ #  - See also security notes on the `add_wifi_provided_zones` option.
+ #
+-# validate_connection_provided_zones=yes
+# validate_connection_provided_zones=no
+ #
+ #  - Connection provided zones will be configured in Unbound as secure forward
+ #    zones, validated using DNSSEC.
+@@ -63,7 +63,7 @@
+ #    Turning this option off has security implications, See the security
+ #    notice above.
+ #
+-validate_connection_provided_zones=yes
+validate_connection_provided_zones=no
+ 
+ # add_wifi_provided_zones:
+ # ------------------------
+diff --git a/example.conf.in b/example.conf.in
+index dafd35d..f7e8a54 100644
+--- a/example.conf.in
+++ b/example.conf.in
+@@ -79,6 +79,11 @@ tcp80: 2a04:b900::10:0:0:67
+ ssl443: 185.49.140.67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:66:0F:10:58:DC:A8:2E:C0:43:D4:77:5A:71:8A:CF
+ 
+# How to add your own record:
+# openssl s_client -connect example.com:443 -showcerts </dev/null > /tmp/dns.crt
+# openssl x509 -noout -in /tmp/dns.crt -fingerprint -sha256
+# Append returned sha256 Fingerprint after ssl443: IP-address section.
+
+ # Use VPN servers for all traffic
+ # use-vpn-forwarders: no
+ 
+@@ -87,4 +92,3 @@ ssl443: 2a04:b900::10:0:0:67 7E:CF:B4:BE:B9:9A:56:0D:F7:3B:40:51:A4:78:E6:A6:FD:
+ 
+ # Add domains provided by VPN connections into Unbound forward zones
+ # add-wifi-provided-zones: no
+-
+-- 
+2.47.0
+
--- a/dnssec-trigger.spec
+++ b/dnssec-trigger.spec
@ -33,6 +33,9 @@ Patch4: 0004-Add-options-edns0-and-trust-ad.patch
 Patch5: dnssec-trigger-configure-c99.patch
 # https://github.com/NLnetLabs/dnssec-trigger/commit/f187c2be221a26f3c4ef4d9b16f1df67104ae634
 Patch6: dnssec-trigger-0.17-allowed-characters.patch
+Patch7: dnssec-trigger-0.17-openssl-3.2.patch
+# https://github.com/NLnetLabs/dnssec-trigger/pull/15
+Patch8: dnssec-trigger-0.17-server-recipe.patch

 # to obsolete the version in which the panel was in main package
 Obsoletes: %{name} < 0.12-22
Author	SHA1	Message	Date
Fedora Release Engineering	559a9eaee1	Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild	2025-07-23 19:24:40 +00:00
Fedora Release Engineering	6a978fe44e	Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild	2025-01-16 16:01:04 +00:00
Petr Menšík	0c89edf730	Add recipe for adding custom server Related: RHEL-6597	2024-11-20 17:07:11 +01:00
Petr Menšík	b0889c46e9	Mark explicitly server cert with CA flag Since OpenSSL 3.2 it did not connect from control to server cert. Create server with indication is it CA. Also use clientAuth trust for CA cert. That allows control cert to be used for client authentication. Resolves: rhbz#2310947	2024-09-10 18:11:40 +02:00
Fedora Release Engineering	52d732d58d	Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild	2024-07-17 21:12:32 +00:00
Fedora Release Engineering	848c0c938a	Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild	2024-01-24 09:39:09 +00:00
Fedora Release Engineering	752566b521	Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild	2024-01-19 17:22:42 +00:00