ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Disable unused 'tls' clause options: 'ca-file' and 'hostname'

Browse Source 
This commit disables the unused 'tls' clause options. For these some
backing code exists, but their values are not really used anywhere,
nor there are sufficient syntax tests for them.

These options are only disabled temporarily, until TLS certificate
verification gets implemented.
This commit is contained in:
Artem Boldariev
2021-11-29 10:45:35 +02:00
parent 2fc4239ccb
commit 78b73d0865
9 changed files with 19 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/named/named.conf.rst
View File

@@ -561,11 +561,9 @@ TLS
::
tls string {
ca-file quoted_string;
cert-file quoted_string;
ciphers string;
dhparam-file quoted_string;
hostname quoted_string;
key-file quoted_string;
prefer-server-ciphers boolean;
protocols { string; ... };

12
bin/named/transportconf.c
View File

@@ -71,10 +71,16 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
dns_transport_set_keyfile);
parse_transport_option(doh, transport, "cert-file",
dns_transport_set_certfile);
#if 0
/*
* The following two options need to remain unavailable until
* TLS certificate verification gets implemented.
*/
parse_transport_option(doh, transport, "ca-file",
dns_transport_set_cafile);
parse_transport_option(doh, transport, "hostname",
dns_transport_set_hostname);
#endif
}
return (ISC_R_SUCCESS);
@@ -115,10 +121,16 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
dns_transport_set_keyfile);
parse_transport_option(tls, transport, "cert-file",
dns_transport_set_certfile);
#if 0
/*
* The following two options need to remain unavailable until
* TLS certificate verification gets implemented.
*/
parse_transport_option(tls, transport, "ca-file",
dns_transport_set_cafile);
parse_transport_option(tls, transport, "hostname",
dns_transport_set_hostname);
#endif
}
return (ISC_R_SUCCESS);

1
bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
View File

@@ -12,5 +12,4 @@
# In some cases a "tls" statement may omit key-file and cert-file.
tls local-tls {
protocols {TLSv1.2;};
hostname "fqdn.example.com";
};