Add TLS cipher suites configuration option to BIND

This commit extends the 'tls' statement with 'cipher-suites' option.

diff --git a/doc/misc/options b/doc/misc/options
index ac5dd667946dcb17bc719d0984c8c1cf3caa0317..edf6fb04afbfaaea41f3ff5f2e6be5651d203497 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -350,6 +350,7 @@ statistics-channels {
 tls <string> {
        ca-file <quoted_string>;
        cert-file <quoted_string>;
+       cipher-suites <string>;
        ciphers <string>;
        dhparam-file <quoted_string>;
        key-file <quoted_string>;

diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c
index 8c8f7b6df7ebcf1e0b78a299ce3ea2220cba11c9..c4e09f1c8833de9efb2a719814da23a3b5c80c70 100644 (file)
--- a/lib/isccfg/check.c
+++ b/lib/isccfg/check.c
@@ -2131,7 +2131,8 @@ check_tls_defintion(const cfg_obj_t *tlsobj, const char *name,
                    isc_log_t *logctx, isc_symtab_t *symtab) {
        isc_result_t result, tresult;
        const cfg_obj_t *tls_proto_list = NULL, *tls_key = NULL,
-                       *tls_cert = NULL, *tls_ciphers = NULL;
+                       *tls_cert = NULL, *tls_ciphers = NULL,
+                       *tls_cipher_suites = NULL;
        uint32_t tls_protos = 0;
        isc_symvalue_t symvalue;
 
@@ -2246,6 +2247,20 @@ check_tls_defintion(const cfg_obj_t *tlsobj, const char *name,
                }
        }
 
+       /* Check if the cipher suites string is valid */
+       tresult = cfg_map_get(tlsobj, "cipher-suites", &tls_cipher_suites);
+       if (tresult == ISC_R_SUCCESS) {
+               const char *cipher_suites = cfg_obj_asstring(tls_cipher_suites);
+               if (!isc_tls_cipher_suites_valid(cipher_suites)) {
+                       cfg_obj_log(
+                               tls_cipher_suites, logctx, ISC_LOG_ERROR,
+                               "'cipher-suites' in the 'tls' clause '%s' is "
+                               "not a valid cipher suites string",
+                               name);
+                       result = ISC_R_FAILURE;
+               }
+       }
+
        return (result);
 }
 

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 10aa92ee229cf8e7ae81db306f4286022a33e617..625edc7f4f1afe39b67fada966df3b43b29402de 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -3971,6 +3971,11 @@ static cfg_clausedef_t tls_clauses[] = {
        { "dhparam-file", &cfg_type_qstring, 0 },
        { "protocols", &cfg_type_tlsprotos, 0 },
        { "ciphers", &cfg_type_astring, 0 },
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+       { "cipher-suites", &cfg_type_astring, 0 },
+#else
+       { "cipher-suites", &cfg_type_astring, CFG_CLAUSEFLAG_NOTCONFIGURED },
+#endif
        { "prefer-server-ciphers", &cfg_type_boolean, 0 },
        { "session-tickets", &cfg_type_boolean, 0 },
        { NULL, NULL, 0 }