Restore disabled unused 'tls' options: 'ca-file' and 'hostname'
This commit restores the 'tls' options disabled in
78b73d0865.
This commit is contained in:
Artem Boldariev
@@ -560,9 +560,11 @@ TLS
|
||||
::
|
||||
|
||||
tls string {
|
||||
ca-file quoted_string;
|
||||
cert-file quoted_string;
|
||||
ciphers string;
|
||||
dhparam-file quoted_string;
|
||||
hostname quoted_string;
|
||||
key-file quoted_string;
|
||||
prefer-server-ciphers boolean;
|
||||
protocols { string; ... };
|
||||
|
||||
@@ -122,16 +122,10 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
|
||||
parse_transport_bool_option(
|
||||
doh, transport, "prefer-server-ciphers",
|
||||
dns_transport_set_prefer_server_ciphers)
|
||||
#if 0
|
||||
/*
|
||||
* The following two options need to remain unavailable until
|
||||
* TLS certificate verification gets implemented.
|
||||
*/
|
||||
parse_transport_option(doh, transport, "ca-file",
|
||||
dns_transport_set_cafile);
|
||||
parse_transport_option(doh, transport, "ca-file",
|
||||
dns_transport_set_cafile);
|
||||
parse_transport_option(doh, transport, "hostname",
|
||||
dns_transport_set_hostname);
|
||||
#endif
|
||||
}
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
@@ -180,16 +174,10 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
|
||||
parse_transport_bool_option(
|
||||
tls, transport, "prefer-server-ciphers",
|
||||
dns_transport_set_prefer_server_ciphers)
|
||||
#if 0
|
||||
/*
|
||||
* The following two options need to remain unavailable until
|
||||
* TLS certificate verification gets implemented.
|
||||
*/
|
||||
parse_transport_option(tls, transport, "ca-file",
|
||||
dns_transport_set_cafile);
|
||||
parse_transport_option(tls, transport, "ca-file",
|
||||
dns_transport_set_cafile);
|
||||
parse_transport_option(tls, transport, "hostname",
|
||||
dns_transport_set_hostname);
|
||||
#endif
|
||||
}
|
||||
|
||||
return (ISC_R_SUCCESS);
|
||||
|
||||
@@ -14,4 +14,5 @@
|
||||
# In some cases a "tls" statement may omit key-file and cert-file.
|
||||
tls local-tls {
|
||||
protocols {TLSv1.2;};
|
||||
hostname "fqdn.example.com";
|
||||
};
|
||||
|
||||
@@ -294,7 +294,7 @@ The following statements are supported:
|
||||
Declares communication channels to get access to :iscman:`named` statistics.
|
||||
|
||||
``tls``
|
||||
Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``dhparam-file``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
|
||||
Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
|
||||
|
||||
``http``
|
||||
Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
|
||||
@@ -4803,6 +4803,9 @@ The following options can be specified in a ``tls`` statement:
|
||||
Path to a file containing the TLS certificate to be used for
|
||||
the connection.
|
||||
|
||||
``ca-file``
|
||||
Path to a file containing trusted TLS certificates.
|
||||
|
||||
``dhparam-file``
|
||||
Path to a file containing Diffie-Hellman parameters,
|
||||
which is needed to enable the cipher suites depending on the
|
||||
@@ -4810,6 +4813,9 @@ The following options can be specified in a ``tls`` statement:
|
||||
specified is essential for enabling perfect forward secrecy capable
|
||||
ciphers in TLSv1.2.
|
||||
|
||||
``hostname``
|
||||
The hostname associated with the certificate.
|
||||
|
||||
``protocols``
|
||||
Allowed versions of the TLS protocol. TLS version 1.2 and higher are
|
||||
supported, depending on the cryptographic library in use. Multiple
|
||||
|
||||
@@ -634,9 +634,11 @@ statistics\-channels {
|
||||
.nf
|
||||
.ft C
|
||||
tls string {
|
||||
ca\-file quoted_string;
|
||||
cert\-file quoted_string;
|
||||
ciphers string;
|
||||
dhparam\-file quoted_string;
|
||||
hostname quoted_string;
|
||||
key\-file quoted_string;
|
||||
prefer\-server\-ciphers boolean;
|
||||
protocols { string; ... };
|
||||
|
||||
@@ -449,9 +449,11 @@ statistics-channels {
|
||||
}; // may occur multiple times
|
||||
|
||||
tls <string> {
|
||||
ca-file <quoted_string>;
|
||||
cert-file <quoted_string>;
|
||||
ciphers <string>;
|
||||
dhparam-file <quoted_string>;
|
||||
hostname <quoted_string>;
|
||||
key-file <quoted_string>;
|
||||
prefer-server-ciphers <boolean>;
|
||||
protocols { <string>; ... };
|
||||
|
||||
@@ -445,9 +445,11 @@ statistics-channels {
|
||||
}; // may occur multiple times
|
||||
|
||||
tls <string> {
|
||||
ca-file <quoted_string>;
|
||||
cert-file <quoted_string>;
|
||||
ciphers <string>;
|
||||
dhparam-file <quoted_string>;
|
||||
hostname <quoted_string>;
|
||||
key-file <quoted_string>;
|
||||
prefer-server-ciphers <boolean>;
|
||||
protocols { <string>; ... };
|
||||
|
||||
@@ -12,9 +12,11 @@
|
||||
::
|
||||
|
||||
tls <string> {
|
||||
ca-file <quoted_string>;
|
||||
cert-file <quoted_string>;
|
||||
ciphers <string>;
|
||||
dhparam-file <quoted_string>;
|
||||
hostname <quoted_string>;
|
||||
key-file <quoted_string>;
|
||||
prefer-server-ciphers <boolean>;
|
||||
protocols { <string>; ... };
|
||||
|
||||
@@ -3936,14 +3936,8 @@ static cfg_type_t cfg_type_tlsprotos = { "tls_protocols",
|
||||
static cfg_clausedef_t tls_clauses[] = {
|
||||
{ "key-file", &cfg_type_qstring, 0 },
|
||||
{ "cert-file", &cfg_type_qstring, 0 },
|
||||
#if 0
|
||||
/*
|
||||
* The following two options need to remain unavailable until TLS
|
||||
* certificate verification gets implemented.
|
||||
*/
|
||||
{ "ca-file", &cfg_type_qstring, 0 },
|
||||
{ "hostname", &cfg_type_qstring, 0 },
|
||||
#endif
|
||||
{ "dhparam-file", &cfg_type_qstring, 0 },
|
||||
{ "protocols", &cfg_type_tlsprotos, 0 },
|
||||
{ "ciphers", &cfg_type_astring, 0 },
|
||||
|
||||
Reference in New Issue
Block a user