dhparam-file quoted_string;
hostname quoted_string;
key-file quoted_string;
+ prefer-server-ciphers boolean;
protocols { string; ... };
};
isc_dscp_t dscp = -1;
const char *key = NULL, *cert = NULL, *dhparam_file = NULL,
*ciphers = NULL;
+ bool tls_prefer_server_ciphers = false,
+ tls_prefer_server_ciphers_set = false;
bool do_tls = false, no_tls = false, http = false;
ns_listenelt_t *delt = NULL;
uint32_t tls_protos = 0;
const cfg_obj_t *tlsmap = NULL;
const cfg_obj_t *tls_proto_list = NULL;
const cfg_obj_t *ciphers_obj = NULL;
+ const cfg_obj_t *prefer_server_ciphers_obj = NULL;
do_tls = true;
ISC_R_SUCCESS) {
ciphers = cfg_obj_asstring(ciphers_obj);
}
+
+ if (cfg_map_get(tlsmap, "prefer-server-ciphers",
+ &prefer_server_ciphers_obj) ==
+ ISC_R_SUCCESS)
+ {
+ tls_prefer_server_ciphers = cfg_obj_asboolean(
+ prefer_server_ciphers_obj);
+ tls_prefer_server_ciphers_set = true;
+ }
}
}
- tls_params = (ns_listen_tls_params_t){ .key = key,
- .cert = cert,
- .protocols = tls_protos,
- .dhparam_file = dhparam_file,
- .ciphers = ciphers };
+ tls_params = (ns_listen_tls_params_t){
+ .key = key,
+ .cert = cert,
+ .protocols = tls_protos,
+ .dhparam_file = dhparam_file,
+ .ciphers = ciphers,
+ .prefer_server_ciphers = tls_prefer_server_ciphers,
+ .prefer_server_ciphers_set = tls_prefer_server_ciphers_set,
+ };
httpobj = cfg_tuple_get(ltup, "http");
if (httpobj != NULL && cfg_obj_isstring(httpobj)) {
cert-file "cert.pem";
dhparam-file "dhparam.pem";
ciphers "HIGH:!aNULL:!MD5:!RC4";
+ prefer-server-ciphers yes;
};
http local-http-server {
cert-file "cert.pem";
dhparam-file "dhparam.pem";
ciphers "HIGH:!aNULL:!MD5:!RC4";
+ prefer-server-ciphers yes;
};
options {
Declares communication channels to get access to ``named`` statistics.
``tls``
- Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, and ``protocols``.
+ Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, and ``prefer-server-ciphers``.
``http``
Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
(see https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
for details).
+ ``prefer-server-ciphers``
+ Specifies that server ciphers should be preferred over client ones.
+
There are two built-in TLS connection configurations: ``ephemeral``,
uses a temporary key and certificate created for the current ``named``
session only, and ``none``, which can be used when setting up an HTTP
dhparam\-file quoted_string;
hostname quoted_string;
key\-file quoted_string;
+ prefer\-server\-ciphers boolean;
protocols { string; ... };
};
.ft P
dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
+ prefer-server-ciphers <boolean>;
protocols { <string>; ... };
}; // may occur multiple times
dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
+ prefer-server-ciphers <boolean>;
protocols { <string>; ... };
}; // may occur multiple times
dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
+ prefer-server-ciphers <boolean>;
protocols { <string>; ... };
};
* \li 'cipherlist' a valid pointer to a non empty string.
*/
+void
+isc_tlsctx_prefer_server_ciphers(isc_tlsctx_t *ctx, const bool prefer);
+/*%<
+ * Make the given TLS context 'ctx' to prefer or to not prefer
+ * server side ciphers during the ciphers negotiation.
+ *
+ * Requires:
+ * \li 'ctx' != NULL.
+ */
+
isc_tls_t *
isc_tls_create(isc_tlsctx_t *ctx);
/*%<
RUNTIME_CHECK(SSL_CTX_set_cipher_list(ctx, cipherlist) == 1);
}
+void
+isc_tlsctx_prefer_server_ciphers(isc_tlsctx_t *ctx, const bool prefer) {
+ REQUIRE(ctx != NULL);
+
+ if (prefer) {
+ (void)SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ } else {
+ (void)SSL_CTX_clear_options(ctx,
+ SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+}
+
isc_tls_t *
isc_tls_create(isc_tlsctx_t *ctx) {
isc_tls_t *newctx = NULL;
{ "dhparam-file", &cfg_type_qstring, 0 },
{ "protocols", &cfg_type_tlsprotos, 0 },
{ "ciphers", &cfg_type_astring, 0 },
+ { "prefer-server-ciphers", &cfg_type_boolean, 0 },
{ NULL, NULL, 0 }
};
uint32_t protocols;
const char *dhparam_file;
const char *ciphers;
+ bool prefer_server_ciphers;
+ bool prefer_server_ciphers_set;
} ns_listen_tls_params_t;
/***
if (tls_params->ciphers != NULL) {
isc_tlsctx_set_cipherlist(sslctx, tls_params->ciphers);
}
+
+ if (tls_params->prefer_server_ciphers_set) {
+ isc_tlsctx_prefer_server_ciphers(
+ sslctx, tls_params->prefer_server_ciphers);
+ }
}
elt = isc_mem_get(mctx, sizeof(*elt));