return g_tlslocals.size();
});
- luaCtx.registerFunction<void(std::shared_ptr<TLSCtx>::*)()>("rotateTicketsKey", [](std::shared_ptr<TLSCtx> ctx) {
+ luaCtx.registerFunction<void(std::shared_ptr<TLSCtx>::*)()>("rotateTicketsKey", [](std::shared_ptr<TLSCtx>& ctx) {
if (ctx != nullptr) {
ctx->rotateTicketsKey(time(nullptr));
}
});
- luaCtx.registerFunction<void(std::shared_ptr<TLSCtx>::*)(const std::string&)>("loadTicketsKeys", [](std::shared_ptr<TLSCtx> ctx, const std::string& file) {
+ luaCtx.registerFunction<void(std::shared_ptr<TLSCtx>::*)(const std::string&)>("loadTicketsKeys", [](std::shared_ptr<TLSCtx>& ctx, const std::string& file) {
if (ctx != nullptr) {
ctx->loadTicketsKeys(file);
}
});
+ luaCtx.registerFunction<void(std::shared_ptr<TLSFrontend>::*)()>("rotateTicketsKey", [](std::shared_ptr<TLSFrontend>& frontend) {
+ if (frontend == nullptr) {
+ return;
+ }
+ auto ctx = frontend->getContext();
+ if (ctx) {
+ ctx->rotateTicketsKey(time(nullptr));
+ }
+ });
+
+ luaCtx.registerFunction<void(std::shared_ptr<TLSFrontend>::*)(const std::string&)>("loadTicketsKeys", [](std::shared_ptr<TLSFrontend>& frontend, const std::string& file) {
+ if (frontend == nullptr) {
+ return;
+ }
+ auto ctx = frontend->getContext();
+ if (ctx) {
+ ctx->loadTicketsKeys(file);
+ }
+ });
+
+ luaCtx.registerFunction<void(std::shared_ptr<TLSFrontend>::*)()>("reloadCertificates", [](std::shared_ptr<TLSFrontend>& frontend) {
+ if (frontend == nullptr) {
+ return;
+ }
+ frontend->setupTLS();
+ });
+
luaCtx.registerFunction<void(std::shared_ptr<TLSFrontend>::*)(boost::variant<std::string, std::vector<std::pair<int,std::string>>> certFiles, boost::variant<std::string, std::vector<std::pair<int,std::string>>> keyFiles)>("loadNewCertificatesAndKeys", [](std::shared_ptr<TLSFrontend>& frontend, boost::variant<std::string, std::vector<std::pair<int,std::string>>> certFiles, boost::variant<std::string, std::vector<std::pair<int,std::string>>> keyFiles) {
#ifdef HAVE_DNS_OVER_TLS
if (loadTLSCertificateAndKeys("loadNewCertificatesAndKeys", frontend->d_tlsConfig.d_certKeyPairs, certFiles, keyFiles)) {
luaCtx.registerFunction<std::string(DNSCryptContext::*)()const>("getProviderName", [](const DNSCryptContext& ctx) { return ctx.getProviderName().toStringNoDot(); });
luaCtx.registerFunction("markActive", &DNSCryptContext::markActive);
luaCtx.registerFunction("markInactive", &DNSCryptContext::markInactive);
+ luaCtx.registerFunction("reloadCertificates", &DNSCryptContext::reloadCertificates);
luaCtx.registerFunction("removeInactiveCertificate", &DNSCryptContext::removeInactiveCertificate);
luaCtx.registerFunction<void(std::shared_ptr<DNSCryptContext>::*)(const std::string& certFile, const std::string& keyFile, boost::optional<bool> active)>("loadNewCertificate", [](std::shared_ptr<DNSCryptContext> ctx, const std::string& certFile, const std::string& keyFile, boost::optional<bool> active) {
This object represents an address and port dnsdist is listening on for DNS over TLS queries.
- .. method:: TLSContext:rotateTicketsKey()
-
- Replace the current TLS tickets key by a new random one.
-
.. method:: TLSContext:loadTicketsKeys(ticketsKeysFile)
Load new tickets keys from the selected file, replacing the existing ones. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
:param str ticketsKeysFile: The path to a file from where TLS tickets keys should be loaded.
+ .. method:: TLSContext:rotateTicketsKey()
+
+ Replace the current TLS tickets key by a new random one.
+
TLSFrontend
~~~~~~~~~~~
This object represents the configuration of a listening frontend for DNS over TLS queries. To each frontend is associated a TLSContext.
- .. method:: TLSContext:loadNewCertificatesAndKeys(certFile(s), keyFile(s))
+ .. method:: TLSFrontend:loadNewCertificatesAndKeys(certFile(s), keyFile(s))
Create and switch to a new TLS context using the same options than were passed to the corresponding `addTLSLocal()` directive, but loading new certificates and keys from the selected files, replacing the existing ones.
:param str certFile(s): The path to a X.509 certificate file in PEM format, or a list of paths to such files.
:param str keyFile(s): The path to the private key file corresponding to the certificate, or a list of paths to such files, whose order should match the certFile(s) ones.
+ .. method:: TLSFrontend:loadTicketsKeys(ticketsKeysFile)
+
+ .. versionadded:: 1.6.0
+
+ Load new tickets keys from the selected file, replacing the existing ones. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
+ See :doc:`guides/tls-sessions-management` for more information.
+
+ :param str ticketsKeysFile: The path to a file from where TLS tickets keys should be loaded.
+
+ .. method:: TLSFrontend:reloadCertificates()
+
+ .. versionadded:: 1.6.0
+
+ Reload the current TLS certificate and key pairs.
+
+ .. method:: TLSFrontend:rotateTicketsKey()
+
+ .. versionadded:: 1.6.0
+
+ Replace the current TLS tickets key by a new random one.
+
EDNS on Self-generated answers
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Print all the certificates.
+ .. method:: DNSCryptContext:reloadCertificates()
+
+ .. versionadded:: 1.6.0
+
+ Reload the current TLS certificate and key pairs.
+
.. method:: DNSCryptContext:removeInactiveCertificate(serial)
Remove the certificate with serial `serial`. It will not be possible to answer queries tied
projects / thirdparty / pdns.git / commitdiff
