search

troglobit / inadyn

In-a-Dyn is a dynamic DNS client with multiple SSL/TLS library support
https://troglobit.com/projects/inadyn/
GNU General Public License v2.0
962 stars 139 forks source link

GnuTLS issue with Yandex DNS #252

Open taem opened 5 years ago

taem commented 5 years ago

Hi Joachim,

Got GnuTLS issue with Yandex DNS.

Config:

provider yandex {
        username = linukz.org
        password = <removed>
        hostname = test
}

Command:

$ ./src/inadyn --cache-dir=/tmp/inadyn --pidfile=/tmp/inadyn.pid -n -l debug

output:

inadyn[31603]: In-a-dyn version 2.5 -- Dynamic DNS update client.
inadyn[31603]: Guessing DDNS plugin 'default@pdd.yandex.ru' from 'yandex'
inadyn[31603]: Base64 encoded string: bGludWt6Lm9yZzo0TkxDMjRRSEczQUpYRlM0WEJRRkRDTU5USTNDSTZGWU9FR0xOU0JOQjNIWDZEQllPVkJB
inadyn[31603]: Get address for default@pdd.yandex.ru
inadyn[31603]: Checking for IP# change, connecting to checkip.dyndns.org([216.146.43.71]:80)
inadyn[31603]: Querying DDNS checkip server for my public IP#: GET / HTTP/1.0
Host: checkip.dyndns.org
User-Agent: inadyn/2.5 https://github.com/troglobit/inadyn/issues

inadyn[31603]: Server response: HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0.1
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 106

<html><head><title>Current IP Check</title></head><body>Current IP Address: 54.XXX.YYY.ZZZ</body></html>
inadyn[31603]: Checked my IP, return code 0: OK
inadyn[31603]: IP server response:
inadyn[31603]: HTTP/1.1 200 OK
Content-Type: text/html
Server: DynDNS-CheckIP/1.0.1
Connection: close
Cache-Control: no-cache
Pragma: no-cache
Content-Length: 106

<html><head><title>Current IP Check</title></head><body>Current IP Address: 54.XXX.YYY.ZZZ</body></html>
inadyn[31603]: Checking IPv4 address 54.XXX.YYY.ZZZ ...
inadyn[31603]: IPv4 address 54.XXX.YYY.ZZZ is valid.
inadyn[31603]: Current IP# 54.XXX.YYY.ZZZ at default@pdd.yandex.ru
inadyn[31603]: Update forced for alias test, new IP# 54.XXX.YYY.ZZZ
inadyn[31603]: Sending IP# update to DDNS server, initiating HTTPS ...
inadyn[31603]: Sending IP# update to DDNS server, connecting to pddimp.yandex.ru([213.180.193.179]:443)
inadyn[31603]: Certificate OK
inadyn[31603]: SSL server cert subject: C=RU,O=Yandex LLC,OU=ITO,L=Moscow,ST=Russian Federation,CN=api.domain.yandex.com
inadyn[31603]: SSL server cert issuer: C=RU,O=Yandex LLC,OU=Yandex Certification Authority,CN=Yandex CA
inadyn[31603]: Trying to get record_id, initiating HTTPS ...
inadyn[31603]: Trying to get record_id, connecting to pddimp.yandex.ru([213.180.193.179]:443)
inadyn[31603]: Certificate OK
inadyn[31603]: SSL server cert subject: C=RU,O=Yandex LLC,OU=ITO,L=Moscow,ST=Russian Federation,CN=api.domain.yandex.com
inadyn[31603]: SSL server cert issuer: C=RU,O=Yandex LLC,OU=Yandex Certification Authority,CN=Yandex CA
inadyn[31603]: Successfully sent HTTPS request!
inadyn[31603]: Successfully received HTTPS response (2714 bytes)!
inadyn[31603]: Yandex response: <removed>
inadyn[31603]: Updating record, id = 5543513
inadyn[31603]: Sending alias table update to DDNS server: POST /api2/admin/dns/edit HTTP/1.1
Host: pddimp.yandex.ru
PddToken: <removed>
User-Agent: inadyn/2.5 https://github.com/troglobit/inadyn/issues
Content-Length: 73
Content-Type: application/x-www-form-urlencoded

domain=linukz.org&record_id=27061131&subdomain=test&content=54.XXX.YYY.ZZZ
inadyn[31603]: Successfully sent HTTPS request!
inadyn[31603]: Successfully received HTTPS response (0 bytes)!
inadyn[31603]: DDNS server response:
inadyn[31603]: Fatal error in DDNS server response:
inadyn[31603]: [0 ]
inadyn[31603]: Error response from DDNS server, exiting!
inadyn[31603]: Error code 48: DDNS server response not OK

Request to get DNS records is completed successfully, but request to update the record is not. OpenSSL version of the inadyn works as expected.

DNS record update using gnutls-cli works as expected also:

$ gnutls-cli pddimp.yandex.ru
Processed 133 CA certificate(s).
Resolving 'pddimp.yandex.ru:443'...
Connecting to '213.180.193.179:443'...
- Certificate type: X.509
- Got a certificate list of 3 certificates.
- Certificate[0] info:
 - subject `CN=api.domain.yandex.com,ST=Russian Federation,L=Moscow,OU=ITO,O=Yandex LLC,C=RU', issuer `CN=Yandex CA,OU=Yandex Certification Authority,O=Yandex LLC,C=RU', serial 0x6279dd8f769f7d307bded3bddabf297d, RSA key 2048 bits, signed using RSA-SHA256, activated `2017-09-09 10:53:14 UTC', expires `2019-09-09 10:53:14 UTC', pin-sha256="f3NL2ctrcaC2voHnl7I8Kex0ud7tS1wbz9CuHjRyLRw="
        Public Key ID:
                sha1:15ec26f19e839827d39a56d08c3a4265561e26ae
                sha256:7f734bd9cb6b71a0b6be81e797b23c29ec74b9deed4b5c1bcfd0ae1e34722d1c
        Public Key PIN:
                pin-sha256:f3NL2ctrcaC2voHnl7I8Kex0ud7tS1wbz9CuHjRyLRw=
        Public key's random art:
                +--[ RSA 2048]----+
                |    ..+  ..      |
                |   .++ .. ..     |
                |   +. .+ +.      |
                |  ..  o +.+      |
                | .E  . =S= .     |
                |  . o = = +      |
                |   . . B   .     |
                |      +          |
                |     .           |
                +-----------------+

- Certificate[1] info:
 - subject `CN=Yandex CA,OU=Yandex Certification Authority,O=Yandex LLC,C=RU', issuer `CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL', serial 0x00e40547830e0c6452976f7a3549c0dd48, RSA key 2048 bits, signed using RSA-SHA256, activated `2015-01-21 12:00:00 UTC', expires `2025-01-18 12:00:00 UTC', pin-sha256="LNFe+yc4/NZbJVynpxAeAd+brU3EPwGbtwF6VeUjI/Y="
- Certificate[2] info:
 - subject `CN=Certum Trusted Network CA,OU=Certum Certification Authority,O=Unizeto Technologies S.A.,C=PL', issuer `CN=Certum CA,O=Unizeto Sp. z o.o.,C=PL', serial 0x00939285400165715f947f288fefc99b28, RSA key 2048 bits, signed using RSA-SHA256, activated `2008-10-22 12:07:37 UTC', expires `2027-06-10 10:46:39 UTC', pin-sha256="qiYwp7YXsE0KKUureoyqpQFubb5gSDeoOoVxn6tmfrU="
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-128-GCM)
- Session ID: 43:58:F5:A3:C2:A9:C2:7C:8A:47:50:11:DC:43:C3:9E:20:A3:93:BC:AA:FB:64:42:42:6E:D4:09:15:DF:4F:C1
- Ephemeral EC Diffie-Hellman parameters
 - Using curve: SECP256R1
 - Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA512
- Cipher: AES-128-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation, OCSP status request,
- Handshake was completed

- Simple Client Mode:

POST /api2/admin/dns/edit HTTP/1.1
Host: pddimp.yandex.ru
PddToken: <removed>
User-Agent: inadyn/2.5 https://github.com/troglobit/inadyn/issues
Content-Length: 74
Content-Type: application/x-www-form-urlencoded

domain=linukz.org&record_id=27061131&subdomain=test&content=54.XXX.YYY.ZZZ
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Jun 2019 06:18:52 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 221
Connection: keep-alive
Keep-Alive: timeout=120
X-qloud-router: sas1-5acd7d194fed.qloud-c.yandex.net

{"record_id":27061131,"domain":"linukz.org","record":{"priority":"","subdomain":"test","record_id":27061131,"type":"A","domain":"linukz.org","fqdn":"test.linukz.org","ttl":21600,"content":"54.XXX.YYY.ZZZ"},"success":"ok"}

GnuTLS version:

$ apt-cache policy libgnutls30
libgnutls30:
  Installed: 3.5.18-1ubuntu1.1
  Candidate: 3.5.18-1ubuntu1.1
  Version table:
 *** 3.5.18-1ubuntu1.1 500
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/main amd64 Packages
        100 /var/lib/dpkg/status
     3.5.18-1ubuntu1 500
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic/main amd64 Packages

$ apt-cache policy gnutls-bin
gnutls-bin:
  Installed: 3.5.18-1ubuntu1.1
  Candidate: 3.5.18-1ubuntu1.1
  Version table:
 *** 3.5.18-1ubuntu1.1 500
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic-updates/universe amd64 Packages
        500 http://security.ubuntu.com/ubuntu bionic-security/universe amd64 Packages
        100 /var/lib/dpkg/status
     3.5.18-1ubuntu1 500
        500 http://us-east-1.ec2.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages

I did some tcpdump session and it shows a lot of TCP retransmission packets. Any thoughts?

Thanks.

troglobit commented 5 years ago

Huh, weird ... just tested with FreeDNS + GnuTLS and that works. Sorry, no clue really what it could be, maybe some server/client crypto setting that's different?

inadyn[18430]: Sending IP# update to DDNS server, initiating HTTPS ...
inadyn[18430]: Sending IP# update to DDNS server, connecting to freedns.afraid.org([50.23.197.94]:443)
inadyn[18430]: Certificate OK
inadyn[18430]: SSL server cert subject: OU=Domain Control Validated,OU=EssentialSSL,CN=freedns.afraid.org
inadyn[18430]: SSL server cert issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
inadyn[18430]: Fetching account API key, initiating HTTPS ...
inadyn[18430]: Fetching account API key, connecting to freedns.afraid.org([204.140.20.21]:443)
inadyn[18430]: Certificate OK
inadyn[18430]: SSL server cert subject: OU=Domain Control Validated,OU=EssentialSSL,CN=freedns.afraid.org
inadyn[18430]: SSL server cert issuer: C=GB,ST=Greater Manchester,L=Salford,O=COMODO CA Limited,CN=COMODO RSA Domain Validation Secure Server CA
inadyn[18430]: Successfully sent HTTPS request!
inadyn[18430]: Successfully received HTTPS response (294 bytes)!
inadyn[18430]: Received API key(s), rc=0:
troglobit.homenet.org|155.4.AAA.BBB|https://freedns.afraid.org/dynamic/update.php?foo=
inadyn[18430]: Sending alias table update to DDNS server: GET /dynamic/update.php?foo=&address=85.24.CCC.DDD HTTP/1.0
Host: freedns.afraid.org
User-Agent: inadyn/2.5 https://github.com/troglobit/inadyn/issues

inadyn[18430]: Successfully sent HTTPS request!
inadyn[18430]: Successfully received HTTPS response (384 bytes)!
inadyn[18430]: DDNS server response: HTTP/1.1 200 OK
Server: nginx
Date: Thu, 06 Jun 2019 08:47:51 GMT
Content-Type: text/plain; charset=utf-8
Connection: close
Vary: Accept-Encoding
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
Expires: Mon, 26 Jul 1997 05:00:00 GMT
X-Cache: MISS

Updated troglobit.homenet.org to 85.24.CCC.DDD in 0.037 seconds
inadyn[18430]: Successful alias table update for troglobit.homenet.org => new IP# 85.24.CCC.DDD
inadyn[18430]: Updating cache for troglobit.homenet.org
taem commented 5 years ago

Ok, will continue debugging :)

troglobit commented 5 years ago

Good luck man!

troglobit commented 4 years ago

@taem Did you ever figure this one out? I fixed a couple of issues with the plugin back in July, found by Coverity Scan, in 687253e ... maybe that was the root cause?

troglobit commented 4 years ago

So, v2.6 has been released https://github.com/troglobit/inadyn/releases/tag/v2.6, there are pre-built packages available, both Debian/Ubuntu packages and Docker images. Hopefully enough to help test this bug.

taem commented 4 years ago

Hi Joachim,Ok, thanks. Need to try it.--Sent from Yandex.Mail for mobile22.02.2020, 23:11, "Joachim Nilsson" notifications@github.com:So, v2.6 has been released https://github.com/troglobit/inadyn/releases/tag/v2.6, there are pre-built packages available, both Debian/Ubuntu packages and Docker images. Hopefully enough to help test this bug.

—You are receiving this because you were mentioned.Reply to this email directly, view it on GitHub, or unsubscribe.