From: Oto Šťáva <oto.stava@nic.cz>
Date: Mon, 16 May 2022 12:30:13 +0000 (+0200)
Subject: daemon/tls: use GNUTLS_NO_TICKETS_TLS12
X-Git-Tag: v5.5.1~12^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e5d24873a495d944d0effa6dffb7af821d2899c9;p=thirdparty%2Fknot-resolver.git

daemon/tls: use GNUTLS_NO_TICKETS_TLS12
---

diff --git a/NEWS b/NEWS
index b2e529764..0d90f6e1c 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,10 @@
 Knot Resolver 5.5.1 (2022-mm-dd)
 ================================
 
+Improvements
+------------
+- daemon/tls: disable TLS resumption via tickets for TLS <= 1.2 (#742, !1295)
+
 Bugfixes
 --------
 - modules/dns64: fix incorrect packet writes for cached packets (#727, !1275)
diff --git a/daemon/bindings/net_tlssrv.rst b/daemon/bindings/net_tlssrv.rst
index 4690383e2..8306cfc22 100644
--- a/daemon/bindings/net_tlssrv.rst
+++ b/daemon/bindings/net_tlssrv.rst
@@ -113,15 +113,18 @@ by a trusted CA. This is done using function :c:func:`net.tls()`.
    This synchronization works only among instances having the same endianness
    and time_t structure and size (`sizeof(time_t)`).
 
+.. _pfs: https://en.wikipedia.org/wiki/Forward_secrecy
+
    **For good security** the secret must have enough entropy to be hard to guess,
    and it should still be occasionally rotated manually and securely forgotten,
    to reduce the scope of privacy leak in case the
-   `secret leaks eventually <https://en.wikipedia.org/wiki/Forward_secrecy>`_.
+   `secret leaks eventually <pfs_>`_.
 
-   .. warning:: **Setting the secret is probably too risky with TLS <= 1.2**.
-      GnuTLS stable release supports TLS 1.3 since 3.6.3 (summer 2018).
-      Therefore setting the secrets should be considered experimental for now
-      and might not be available on your system.
+   .. warning:: **Setting the secret is probably too risky with TLS <= 1.2 and
+      GnuTLS < 3.7.5**. GnuTLS 3.7.5 adds an option to disable resumption via
+      tickets for TLS <= 1.2, enabling them only for protocols that do guarantee
+      `PFS <pfs_>`_. Knot Resolver makes use of this new option when linked
+      against GnuTLS >= 3.7.5.
 
 .. function:: net.tls_sticket_secret_file([string with path to a file containing pre-shared secret])
 
diff --git a/daemon/tls.c b/daemon/tls.c
index f958214ab..ccbb02dfe 100644
--- a/daemon/tls.c
+++ b/daemon/tls.c
@@ -332,7 +332,12 @@ struct tls_ctx *tls_new(struct worker_ctx *worker)
 		return NULL;
 	}
 
-	int err = gnutls_init(&tls->c.tls_session, GNUTLS_SERVER | GNUTLS_NONBLOCK);
+	int flags = GNUTLS_SERVER | GNUTLS_NONBLOCK;
+#if GNUTLS_VERSION_NUMBER >= 0x030705
+	if (gnutls_check_version("3.7.5"))
+		flags |= GNUTLS_NO_TICKETS_TLS12;
+#endif
+	int err = gnutls_init(&tls->c.tls_session, flags);
 	if (err != GNUTLS_E_SUCCESS) {
 		kr_log_error(TLS, "gnutls_init(): %s (%d)\n", gnutls_strerror_name(err), err);
 		tls_free(tls);
@@ -1067,6 +1072,10 @@ struct tls_client_ctx *tls_client_ctx_new(tls_client_param_t *entry,
 			     | GNUTLS_ENABLE_FALSE_START
 #endif
 	;
+#if GNUTLS_VERSION_NUMBER >= 0x030705
+	if (gnutls_check_version("3.7.5"))
+		flags |= GNUTLS_NO_TICKETS_TLS12;
+#endif
 	int ret = gnutls_init(&ctx->c.tls_session,  flags);
 	if (ret != GNUTLS_E_SUCCESS) {
 		tls_client_ctx_free(ctx);