From: Artem Boldariev <artem@boldariev.com>
Date: Mon, 29 Nov 2021 08:45:35 +0000 (+0200)
Subject: Disable unused 'tls' clause options: 'ca-file' and 'hostname'
X-Git-Tag: v9.17.21~14^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=78b73d0865ef00062f3bca45cdbc3ca5ccb2ed43;p=thirdparty%2Fbind9.git

Disable unused 'tls' clause options: 'ca-file' and 'hostname'

This commit disables the unused 'tls' clause options. For these some
backing code exists, but their values are not really used anywhere,
nor there are sufficient syntax tests for them.

These options are only disabled temporarily, until TLS certificate
verification gets implemented.
---

diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst
index e04891ab2ad..28a39c45e01 100644
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -561,11 +561,9 @@ TLS
 ::
 
   tls string {
-  	ca-file quoted_string;
   	cert-file quoted_string;
   	ciphers string;
   	dhparam-file quoted_string;
-  	hostname quoted_string;
   	key-file quoted_string;
   	prefer-server-ciphers boolean;
   	protocols { string; ... };
diff --git a/bin/named/transportconf.c b/bin/named/transportconf.c
index ea696af73b5..618696bb7aa 100644
--- a/bin/named/transportconf.c
+++ b/bin/named/transportconf.c
@@ -71,10 +71,16 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
 				       dns_transport_set_keyfile);
 		parse_transport_option(doh, transport, "cert-file",
 				       dns_transport_set_certfile);
+#if 0
+		/*
+		 * The following two options need to remain unavailable until
+		 * TLS certificate verification gets implemented.
+		 */
 		parse_transport_option(doh, transport, "ca-file",
 				       dns_transport_set_cafile);
 		parse_transport_option(doh, transport, "hostname",
 				       dns_transport_set_hostname);
+#endif
 	}
 
 	return (ISC_R_SUCCESS);
@@ -115,10 +121,16 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
 				       dns_transport_set_keyfile);
 		parse_transport_option(tls, transport, "cert-file",
 				       dns_transport_set_certfile);
+#if 0
+		/*
+		 * The following two options need to remain unavailable until
+		 * TLS certificate verification gets implemented.
+		 */
 		parse_transport_option(tls, transport, "ca-file",
 				       dns_transport_set_cafile);
 		parse_transport_option(tls, transport, "hostname",
 				       dns_transport_set_hostname);
+#endif
 	}
 
 	return (ISC_R_SUCCESS);
diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
index 9814074ecc6..fff3a5b176c 100644
--- a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
+++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
@@ -12,5 +12,4 @@
 # In some cases a "tls" statement may omit key-file and cert-file.
 tls local-tls {
     protocols {TLSv1.2;};
-    hostname "fqdn.example.com";
 };
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 24840958132..0562bbe6278 100644
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -293,7 +293,7 @@ The following statements are supported:
         Declares communication channels to get access to ``named`` statistics.
 
     ``tls``
-        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
+        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``dhparam-file``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
 
     ``http``
         Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
@@ -4756,9 +4756,6 @@ The following options can be specified in a ``tls`` statement:
     Path to a file containing the TLS certificate to be used for
     the connection.
 
-  ``ca-file``
-    Path to a file containing trusted TLS certificates.
-
   ``dhparam-file``
     Path to a file containing Diffie-Hellman parameters,
     which is needed to enable the cipher suites depending on the
@@ -4766,9 +4763,6 @@ The following options can be specified in a ``tls`` statement:
     specified is essential for enabling perfect forward secrecy capable
     ciphers in TLSv1.2.
 
-  ``hostname``
-    The hostname associated with the certificate.
-
   ``protocols``
     Allowed versions of the TLS protocol. TLS version 1.2 and higher are
     supported, depending on the cryptographic library in use. Multiple
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in
index 7e129e4bf14..de092a77df4 100644
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -652,11 +652,9 @@ statistics\-channels {
 .nf
 .ft C
 tls string {
-      ca\-file quoted_string;
       cert\-file quoted_string;
       ciphers string;
       dhparam\-file quoted_string;
-      hostname quoted_string;
       key\-file quoted_string;
       prefer\-server\-ciphers boolean;
       protocols { string; ... };
diff --git a/doc/misc/options b/doc/misc/options
index 02b6f7b6091..86967657ae4 100644
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -457,11 +457,9 @@ statistics-channels {
 }; // may occur multiple times
 
 tls <string> {
-        ca-file <quoted_string>;
         cert-file <quoted_string>;
         ciphers <string>;
         dhparam-file <quoted_string>;
-        hostname <quoted_string>;
         key-file <quoted_string>;
         prefer-server-ciphers <boolean>;
         protocols { <string>; ... };
diff --git a/doc/misc/options.active b/doc/misc/options.active
index 491a025ed4c..bd4ceb26ae8 100644
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -454,11 +454,9 @@ statistics-channels {
 }; // may occur multiple times
 
 tls <string> {
-        ca-file <quoted_string>;
         cert-file <quoted_string>;
         ciphers <string>;
         dhparam-file <quoted_string>;
-        hostname <quoted_string>;
         key-file <quoted_string>;
         prefer-server-ciphers <boolean>;
         protocols { <string>; ... };
diff --git a/doc/misc/tls.grammar.rst b/doc/misc/tls.grammar.rst
index 98f724a6d8f..96780c11559 100644
--- a/doc/misc/tls.grammar.rst
+++ b/doc/misc/tls.grammar.rst
@@ -1,11 +1,9 @@
 ::
 
   tls <string> {
-  	ca-file <quoted_string>;
   	cert-file <quoted_string>;
   	ciphers <string>;
   	dhparam-file <quoted_string>;
-  	hostname <quoted_string>;
   	key-file <quoted_string>;
   	prefer-server-ciphers <boolean>;
   	protocols { <string>; ... };
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 4067adf093d..4ba4b0a17ce 100644
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -3886,8 +3886,14 @@ static cfg_type_t cfg_type_tlsprotos = { "tls_protocols",
 static cfg_clausedef_t tls_clauses[] = {
 	{ "key-file", &cfg_type_qstring, 0 },
 	{ "cert-file", &cfg_type_qstring, 0 },
+#if 0
+	/*
+	 * The following two options need to remain unavailable until TLS
+	 * certificate verification gets implemented.
+	 */
 	{ "ca-file", &cfg_type_qstring, 0 },
 	{ "hostname", &cfg_type_qstring, 0 },
+#endif
 	{ "dhparam-file", &cfg_type_qstring, 0 },
 	{ "protocols", &cfg_type_tlsprotos, 0 },
 	{ "ciphers", &cfg_type_astring, 0 },