daemon/tls: use GNUTLS_NO_TICKETS_TLS12

diff --git a/NEWS b/NEWS
index b2e5297647a48ef813cb4e59a6bd022ec9f44d24..0d90f6e1c6fe9c4777f84dd6394d7f5c68884d82 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 Knot Resolver 5.5.1 (2022-mm-dd)
 ================================
 
+Improvements
+------------
+- daemon/tls: disable TLS resumption via tickets for TLS <= 1.2 (#742, !1295)
+
 Bugfixes
 --------
 - modules/dns64: fix incorrect packet writes for cached packets (#727, !1275)

diff --git a/daemon/bindings/net_tlssrv.rst b/daemon/bindings/net_tlssrv.rst
index 4690383e2361b0933ef7f32cdb7cd429c3e27fd3..8306cfc225c37c82cd14c7e338ea575a2ba9af74 100644 (file)
--- a/daemon/bindings/net_tlssrv.rst
+++ b/daemon/bindings/net_tlssrv.rst
@@ -113,15 +113,18 @@ by a trusted CA. This is done using function :c:func:`net.tls()`.
    This synchronization works only among instances having the same endianness
    and time_t structure and size (`sizeof(time_t)`).
 
+.. _pfs: https://en.wikipedia.org/wiki/Forward_secrecy
+
    **For good security** the secret must have enough entropy to be hard to guess,
    and it should still be occasionally rotated manually and securely forgotten,
    to reduce the scope of privacy leak in case the
-   `secret leaks eventually <https://en.wikipedia.org/wiki/Forward_secrecy>`_.
+   `secret leaks eventually <pfs_>`_.
 
-   .. warning:: **Setting the secret is probably too risky with TLS <= 1.2**.
-      GnuTLS stable release supports TLS 1.3 since 3.6.3 (summer 2018).
-      Therefore setting the secrets should be considered experimental for now
-      and might not be available on your system.
+   .. warning:: **Setting the secret is probably too risky with TLS <= 1.2 and
+      GnuTLS < 3.7.5**. GnuTLS 3.7.5 adds an option to disable resumption via
+      tickets for TLS <= 1.2, enabling them only for protocols that do guarantee
+      `PFS <pfs_>`_. Knot Resolver makes use of this new option when linked
+      against GnuTLS >= 3.7.5.
 
 .. function:: net.tls_sticket_secret_file([string with path to a file containing pre-shared secret])
 

diff --git a/daemon/tls.c b/daemon/tls.c
index f958214ab5c22157e7c179d25c5d13cd417ae9a1..ccbb02dfebb438d42920ebd18d20faed123df24c 100644 (file)
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -332,7 +332,12 @@ struct tls_ctx *tls_new(struct worker_ctx *worker)
                return NULL;
        }
 
-       int err = gnutls_init(&tls->c.tls_session, GNUTLS_SERVER | GNUTLS_NONBLOCK);
+       int flags = GNUTLS_SERVER | GNUTLS_NONBLOCK;
+#if GNUTLS_VERSION_NUMBER >= 0x030705
+       if (gnutls_check_version("3.7.5"))
+               flags |= GNUTLS_NO_TICKETS_TLS12;
+#endif
+       int err = gnutls_init(&tls->c.tls_session, flags);
        if (err != GNUTLS_E_SUCCESS) {
                kr_log_error(TLS, "gnutls_init(): %s (%d)\n", gnutls_strerror_name(err), err);
                tls_free(tls);
@@ -1067,6 +1072,10 @@ struct tls_client_ctx *tls_client_ctx_new(tls_client_param_t *entry,
                             | GNUTLS_ENABLE_FALSE_START
 #endif
        ;
+#if GNUTLS_VERSION_NUMBER >= 0x030705
+       if (gnutls_check_version("3.7.5"))
+               flags |= GNUTLS_NO_TICKETS_TLS12;
+#endif
        int ret = gnutls_init(&ctx->c.tls_session,  flags);
        if (ret != GNUTLS_E_SUCCESS) {
                tls_client_ctx_free(ctx);