if (vars.count("validateCertificates")) {
tlsParams.d_validateCertificates = boost::get<bool>(vars.at("validateCertificates"));
}
+ if (vars.count("releaseBuffers")) {
+ tlsParams.d_releaseBuffers = boost::get<bool>(vars.at("releaseBuffers"));
+ }
+ if (vars.count("enableRenegotiation")) {
+ tlsParams.d_enableRenegotiation = boost::get<bool>(vars.at("enableRenegotiation"));
+ }
+
+
if (vars.count("subjectName")) {
ret->d_tlsSubjectName = boost::get<string>(vars.at("subjectName"));
}
Added ``maxInFlight`` to server_table.
.. versionchanged:: 1.7.0
- Added ``caStore``, ``checkTCP``, ``ciphers``, ``ciphers13``, ``dohPath``, ``subjectName``, ``tcpOnly``, ``tls`` and ``validateCertificates`` to server_table.
+ Added ``caStore``, ``checkTCP``, ``ciphers``, ``ciphers13``, ``dohPath``, ``enableRenegotiation``, ``releaseBuffers``, ``subjectName``, ``tcpOnly``, ``tls`` and ``validateCertificates`` to server_table.
Add a new backend server. Call this function with either a string::
ciphersTLS13=STRING, -- The ciphers to use for TLS 1.3, when the OpenSSL provider is used. When the GnuTLS provider is used, ``ciphers`` applies regardless of the TLS protocol and this setting is not used.
subjectName=STRING, -- The subject name passed in the SNI value of the TLS handshake, and against which to validate the certificate presented by the backend. Default is empty.
validateCertificates=BOOL,-- Whether the certificate presented by the backend should be validated against the CA store (see ``caStore``). Default is true.
- dohPath=STRING -- Enable DNS over HTTPS communication for this backend, using POST queries to the HTTP host supplied as ``subjectName`` and the HTTP path supplied in this parameter.
+ dohPath=STRING, -- Enable DNS over HTTPS communication for this backend, using POST queries to the HTTP host supplied as ``subjectName`` and the HTTP path supplied in this parameter.
+ releaseBuffers=BOOL, -- Whether OpenSSL should release its I/O buffers when a connection goes idle, saving roughly 35 kB of memory per connection. Default to true.
+ enableRenegotiation=BOOL -- Whether secure TLS renegotiation should be enabled. Disabled by default since it increases the attack surface and is seldom used for DNS.
})
:param str server_string: A simple IP:PORT string.
SSL_OP_SINGLE_DH_USE |
SSL_OP_SINGLE_ECDH_USE |
SSL_OP_CIPHER_SERVER_PREFERENCE;
+ if (!params.d_enableRenegotiation) {
+#ifdef SSL_OP_NO_RENEGOTIATION
+ sslOptions |= SSL_OP_NO_RENEGOTIATION;
+#elif defined(SSL_OP_NO_CLIENT_RENEGOTIATION)
+ sslOptions |= SSL_OP_NO_CLIENT_RENEGOTIATION;
+#endif
+ }
registerOpenSSLUser();
but we don't want OpenSSL to cache the session itself so we set SSL_SESS_CACHE_NO_INTERNAL_STORE as well */
SSL_CTX_set_session_cache_mode(d_tlsCtx.get(), SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
SSL_CTX_sess_set_new_cb(d_tlsCtx.get(), &OpenSSLTLSIOCtx::newTicketFromServerCb);
+
+#ifdef SSL_MODE_RELEASE_BUFFERS
+ if (params.d_releaseBuffers) {
+ SSL_CTX_set_mode(d_tlsCtx.get(), SSL_MODE_RELEASE_BUFFERS);
+ }
+#endif
}
~OpenSSLTLSIOCtx() override
projects / thirdparty / pdns.git / commitdiff
