From: Remi Gacogne Date: Fri, 4 Oct 2019 09:02:08 +0000 (+0200) Subject: dnsdist: Switch the default DoT provider from GnuTLS to OpenSSL X-Git-Tag: auth-4.3.0-alpha1~31^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d94702d64fd17aaae840f674f254806f0339fcef;p=thirdparty%2Fpdns.git dnsdist: Switch the default DoT provider from GnuTLS to OpenSSL The feedback from our users is that the OpenSSL provider is faster and more stable. We also provide better Session Ticket Keys rotation options with OpenSSL. --- diff --git a/pdns/dnsdist-lua.cc b/pdns/dnsdist-lua.cc index 04c08ca21c..5609d7b664 100644 --- a/pdns/dnsdist-lua.cc +++ b/pdns/dnsdist-lua.cc @@ -1989,7 +1989,12 @@ void setupLuaConfig(bool client) try { frontend->d_addr = ComboAddress(addr, 853); - vinfolog("Loading TLS provider %s", frontend->d_provider); + if (!frontend->d_provider.empty()) { + vinfolog("Loading TLS provider '%s'", frontend->d_provider); + } + else { + vinfolog("Loading default TLS provider 'openssl'"); + } // only works pre-startup, so no sync necessary auto cs = std::unique_ptr(new ClientState(frontend->d_addr, true, reusePort, tcpFastOpenQueueSize, interface, cpus)); cs->tlsFrontend = frontend; diff --git a/pdns/dnsdistdist/docs/reference/config.rst b/pdns/dnsdistdist/docs/reference/config.rst index 844e7f7e9e..d01cd3490d 100644 --- a/pdns/dnsdistdist/docs/reference/config.rst +++ b/pdns/dnsdistdist/docs/reference/config.rst @@ -161,7 +161,7 @@ Listen Sockets * ``tcpFastOpenQueueSize=0``: int - Set the TCP Fast Open queue size, enabling TCP Fast Open when available and the value is larger than 0. * ``interface=""``: str - Set the network interface to use. * ``cpus={}``: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function. - * ``provider``: str - The TLS library to use between GnuTLS and OpenSSL, if they were available and enabled at compilation time. + * ``provider``: str - The TLS library to use between GnuTLS and OpenSSL, if they were available and enabled at compilation time. Default is to use OpenSSL when available. * ``ciphers``: str - The TLS ciphers to use. The exact format depends on the provider used. When the OpenSSL provder is used, ciphers for TLS 1.3 must be specified via ``ciphersTLS13``. * ``ciphersTLS13``: str - The ciphers to use for TLS 1.3, when the OpenSSL provider is used. When the GnuTLS provider is used, ``ciphers`` applies regardless of the TLS protocol and this setting is not used. * ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5. diff --git a/pdns/dnsdistdist/tcpiohandler.cc b/pdns/dnsdistdist/tcpiohandler.cc index 4eaf0a924d..f529c922cd 100644 --- a/pdns/dnsdistdist/tcpiohandler.cc +++ b/pdns/dnsdistdist/tcpiohandler.cc @@ -886,13 +886,13 @@ bool TLSFrontend::setupTLS() } #endif /* HAVE_LIBSSL */ } -#ifdef HAVE_GNUTLS - d_ctx = std::make_shared(*this); -#else /* HAVE_GNUTLS */ #ifdef HAVE_LIBSSL d_ctx = std::make_shared(*this); -#endif /* HAVE_LIBSSL */ +#else /* HAVE_LIBSSL */ +#ifdef HAVE_GNUTLS + d_ctx = std::make_shared(*this); #endif /* HAVE_GNUTLS */ +#endif /* HAVE_LIBSSL */ #endif /* HAVE_DNS_OVER_TLS */ return true;