From ba20dc97880e1a8ed5c94e1cb4450d92b4e9d8be Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Mon, 9 Jul 2018 11:35:54 +0200 Subject: [PATCH] dnsdist: Rename disableTickets to sessionTickets --- pdns/dnsdist-lua.cc | 4 ++-- pdns/dnsdistdist/docs/reference/config.rst | 4 ++-- pdns/dnsdistdist/tcpiohandler.cc | 16 ++++++++-------- pdns/dnsdistdist/tcpiohandler.hh | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index 4f52440929..1d85f758ec 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -1514,8 +1514,8 @@ void setupLuaConfig(bool client) frontend->d_numberOfTicketsKeys = std::stoi(boost::get((*vars)["numberOfTicketsKeys"])); } - if (vars->count("disableTickets")) { - frontend->d_disableTickets = boost::get((*vars)["disableTickets"]); + if (vars->count("sessionTickets")) { + frontend->d_enableTickets = boost::get((*vars)["sessionTickets"]); } } diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index a0ee1e01fe..f4ebf5959d 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -91,7 +91,7 @@ Listen Sockets .. versionadded:: 1.3.0 .. versionchanged:: 1.3.1 ``certFile(s)`` and ``keyFile(s)`` parameters accept a list of files. - ``disableTickets`` option added. + ``sessionTickets`` option added. Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate. @@ -113,7 +113,7 @@ Listen Sockets * ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5. * ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key. * ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h). - * ``disableTickets``: bool - Disable the use of session resumption via session tickets. Default is false, meaning tickets are enabled. + * ``sessionTickets``: bool - Whether session resumption via session tickets is enabled. Default is true, meaning tickets are enabled. .. function:: setLocal(address[, options]) diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc index 0b14cf6f53..4c83f2ff88 100644 --- a/pdns/dnsdistdist/tcpiohandler.cc +++ b/pdns/dnsdistdist/tcpiohandler.cc @@ -372,7 +372,7 @@ public: SSL_OP_SINGLE_ECDH_USE | SSL_OP_CIPHER_SERVER_PREFERENCE; - if (fe.d_disableTickets) { + if (!fe.d_enableTickets) { sslOptions |= SSL_OP_NO_TICKET; } @@ -650,7 +650,7 @@ class GnuTLSConnection: public TLSConnection { public: - GnuTLSConnection(int socket, unsigned int timeout, const gnutls_certificate_credentials_t creds, const gnutls_priority_t priorityCache, std::shared_ptr& ticketsKey, bool disableTickets): d_ticketsKey(ticketsKey) + GnuTLSConnection(int socket, unsigned int timeout, const gnutls_certificate_credentials_t creds, const gnutls_priority_t priorityCache, std::shared_ptr& ticketsKey, bool enableTickets): d_ticketsKey(ticketsKey) { unsigned int sslOptions = GNUTLS_SERVER; #ifdef GNUTLS_NO_SIGNAL @@ -673,7 +673,7 @@ public: throw std::runtime_error("Error setting ciphers to TLS connection"); } - if (!disableTickets && d_ticketsKey) { + if (enableTickets && d_ticketsKey) { const gnutls_datum_t& key = d_ticketsKey->getKey(); if (gnutls_session_ticket_enable_server(d_conn, &key) != GNUTLS_E_SUCCESS) { gnutls_deinit(d_conn); @@ -779,7 +779,7 @@ private: class GnuTLSIOCtx: public TLSCtx { public: - GnuTLSIOCtx(const TLSFrontend& fe): d_disableTickets(fe.d_disableTickets) + GnuTLSIOCtx(const TLSFrontend& fe): d_enableTickets(fe.d_enableTickets) { int rc = 0; d_ticketsKeyRotationDelay = fe.d_ticketsKeyRotationDelay; @@ -838,12 +838,12 @@ public: { handleTicketsKeyRotation(now); - return std::unique_ptr(new GnuTLSConnection(socket, timeout, d_creds, d_priorityCache, d_ticketsKey, d_disableTickets)); + return std::unique_ptr(new GnuTLSConnection(socket, timeout, d_creds, d_priorityCache, d_ticketsKey, d_enableTickets)); } void rotateTicketsKey(time_t now) override { - if (d_disableTickets) { + if (!d_enableTickets) { return; } @@ -856,7 +856,7 @@ public: void loadTicketsKeys(const std::string& file) override { - if (d_disableTickets) { + if (!d_enableTickets) { return; } @@ -876,7 +876,7 @@ private: gnutls_certificate_credentials_t d_creds{nullptr}; gnutls_priority_t d_priorityCache{nullptr}; std::shared_ptr d_ticketsKey{nullptr}; - bool d_disableTickets{false}; + bool d_enableTickets{true}; }; #endif /* HAVE_GNUTLS */ diff --git a/pdns/dnsdistdist/tcpiohandler.hh b/pdns/dnsdistdist/tcpiohandler.hh index 287e93760e..b276994e27 100644 --- a/pdns/dnsdistdist/tcpiohandler.hh +++ b/pdns/dnsdistdist/tcpiohandler.hh @@ -139,7 +139,7 @@ public: int d_tcpFastOpenQueueSize{0}; uint8_t d_numberOfTicketsKeys{5}; bool d_reusePort{false}; - bool d_disableTickets{false}; + bool d_enableTickets{true}; private: std::shared_ptr d_ctx{nullptr}; -- 2.47.2