``url`` now defaults to ``/dns-query`` instead of ``/``, and does exact matching instead of accepting sub-paths. Added ``tcpListenQueueSize`` parameter.
.. versionchanged:: 1.6.0
- ``exactPathMatching`` and ``releaseBuffers`` options added.
+ ``exactPathMatching``, ``releaseBuffers`` and ``enableRenegotiation`` options added.
``internalPipeBufferSize`` now defaults to 1048576 on Linux.
Listen on the specified address and TCP port for incoming DNS over HTTPS connections, presenting the specified X.509 certificate.
* ``internalPipeBufferSize=0``: int - Set the size in bytes of the internal buffer of the pipes used internally to pass queries and responses between threads. Requires support for ``F_SETPIPE_SZ`` which is present in Linux since 2.6.35. The actual size might be rounded up to a multiple of a page size. 0 means that the OS default size is used. The default value is 0, except on Linux where it is 1048576 since 1.6.0.
* ``exactPathMatching=true``: bool - Whether to do exact path matching of the query path against the paths configured in ``urls`` (true, the default since 1.5.0) or to accepts sub-paths (false, and was the default before 1.5.0).
* ``releaseBuffers=true``: bool - Whether OpenSSL should release its I/O buffers when a connection goes idle, saving roughly 35 kB of memory per connection.
+ * ``enableRenegotiation=false``: bool - Whether secure TLS renegotiation should be enabled. Disabled by default since it increases the attack surface and is seldom used for DNS.
.. function:: addTLSLocal(address, certFile(s), keyFile(s) [, options])
.. versionchanged:: 1.5.0
``sessionTimeout`` and ``tcpListenQueueSize`` options added.
.. versionchanged:: 1.6.0
- ``maxInFlight`` and ``releaseBuffers`` options added.
+ ``maxInFlight``, ``releaseBuffers`` and ``enableRenegotiation`` options added.
Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate.
* ``tcpListenQueueSize=SOMAXCONN``: int - Set the size of the listen queue. Default is ``SOMAXCONN``.
* ``maxInFlight=0``: int - Maximum number of in-flight queries. The default is 0, which disables out-of-order processing.
* ``releaseBuffers=true``: bool - Whether OpenSSL should release its I/O buffers when a connection goes idle, saving roughly 35 kB of memory per connection.
+ * ``enableRenegotiation=false``: bool - Whether secure TLS renegotiation should be enabled (OpenSSL only, the GnuTLS provider does not support it). Disabled by default since it increases the attack surface and is seldom used for DNS.
.. function:: setLocal(address[, options])
#endif /* SSL_OP_PRIORITIZE_CHACHA */
}
+ if (!config.d_enableRenegotiation) {
+#ifdef SSL_OP_NO_RENEGOTIATION
+ sslOptions |= SSL_OP_NO_RENEGOTIATION;
+#endif
+ }
+
SSL_CTX_set_options(ctx.get(), sslOptions);
if (!libssl_set_min_tls_version(ctx, config.d_minTLSVersion)) {
throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(config.d_minTLSVersion));