tls string {
ca-file quoted_string;
cert-file quoted_string;
- ciphers string; // experimental
+ ciphers string;
dhparam-file quoted_string;
hostname quoted_string;
key-file quoted_string;
const cfg_obj_t *http_server = NULL;
in_port_t port = 0;
isc_dscp_t dscp = -1;
- const char *key = NULL, *cert = NULL, *dhparam_file = NULL;
+ const char *key = NULL, *cert = NULL, *dhparam_file = NULL,
+ *ciphers = NULL;
bool do_tls = false, no_tls = false, http = false;
ns_listenelt_t *delt = NULL;
uint32_t tls_protos = 0;
*dhparam_obj = NULL;
const cfg_obj_t *tlsmap = NULL;
const cfg_obj_t *tls_proto_list = NULL;
+ const cfg_obj_t *ciphers_obj = NULL;
do_tls = true;
ISC_R_SUCCESS) {
dhparam_file = cfg_obj_asstring(dhparam_obj);
}
+
+ if (cfg_map_get(tlsmap, "ciphers", &ciphers_obj) ==
+ ISC_R_SUCCESS) {
+ ciphers = cfg_obj_asstring(ciphers_obj);
+ }
}
}
tls_params = (ns_listen_tls_params_t){ .key = key,
.cert = cert,
.protocols = tls_protos,
- .dhparam_file = dhparam_file };
+ .dhparam_file = dhparam_file,
+ .ciphers = ciphers };
httpobj = cfg_tuple_get(ltup, "http");
if (httpobj != NULL && cfg_obj_isstring(httpobj)) {
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+ key-file "key.pem";
+ cert-file "cert.pem";
+ ciphers "$bad:ciphers";
+};
+
+options {
+ listen-on port 853 tls local-tls { 10.53.0.1; };
+};
key-file "key.pem";
cert-file "cert.pem";
dhparam-file "dhparam.pem";
+ ciphers "HIGH:!aNULL:!MD5:!RC4";
};
http local-http-server {
key-file "key.pem";
cert-file "cert.pem";
dhparam-file "dhparam.pem";
+ ciphers "HIGH:!aNULL:!MD5:!RC4";
};
options {
Declares communication channels to get access to ``named`` statistics.
``tls``
- Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, and ``protocols``.
+ Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, and ``protocols``.
``http``
Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
versions might be specified (e.g.
``protocols { TLSv1.2; TLSv1.3; };``).
+ ``ciphers``
+ Cipher list which defines allowed ciphers, such as
+ ``HIGH:!aNULL:!MD5:!SHA1:!SHA256:!SHA384``. The string must be
+ formed according to the rules specified in the OpenSSL documentation
+ (see https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
+ for details).
+
There are two built-in TLS connection configurations: ``ephemeral``,
uses a temporary key and certificate created for the current ``named``
session only, and ``none``, which can be used when setting up an HTTP
tls string {
ca\-file quoted_string;
cert\-file quoted_string;
- ciphers string; // experimental
+ ciphers string;
dhparam\-file quoted_string;
hostname quoted_string;
key\-file quoted_string;
tls <string> {
ca-file <quoted_string>;
cert-file <quoted_string>;
- ciphers <string>; // experimental
+ ciphers <string>;
dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
tls <string> {
ca-file <quoted_string>;
cert-file <quoted_string>;
- ciphers <string>; // experimental
+ ciphers <string>;
dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
tls <string> {
ca-file <quoted_string>;
cert-file <quoted_string>;
- ciphers <string>; // experimental
+ ciphers <string>;
dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
isc_log_t *logctx, isc_symtab_t *symtab) {
isc_result_t result, tresult;
const cfg_obj_t *tls_proto_list = NULL, *tls_key = NULL,
- *tls_cert = NULL;
+ *tls_cert = NULL, *tls_ciphers = NULL;
uint32_t tls_protos = 0;
isc_symvalue_t symvalue;
}
}
+ /* Check cipher list string is valid */
+ tresult = cfg_map_get(tlsobj, "ciphers", &tls_ciphers);
+ if (tresult == ISC_R_SUCCESS) {
+ const char *ciphers = cfg_obj_asstring(tls_ciphers);
+ if (!isc_tls_cipherlist_valid(ciphers)) {
+ cfg_obj_log(tls_ciphers, logctx, ISC_LOG_ERROR,
+ "'ciphers' in the 'tls' clause '%s' is "
+ "not a "
+ "valid cipher list string",
+ name);
+ result = ISC_R_FAILURE;
+ }
+ }
+
return (result);
}
* \li 'dhaprams_file' a valid pointer to a non empty string.
*/
+bool
+isc_tls_cipherlist_valid(const char *cipherlist);
+/*%<
+ * Check if cipher list string is valid.
+ *
+ * Requires:
+ * \li 'cipherlist' a valid pointer to a non empty string.
+ */
+
+void
+isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist);
+/*%<
+ * Set cipher list string for on the given TLS context 'ctx'.
+ *
+ * Requires:
+ * \li 'ctx' != NULL;
+ * \li 'cipherlist' a valid pointer to a non empty string.
+ */
+
isc_tls_t *
isc_tls_create(isc_tlsctx_t *ctx);
/*%<
return (true);
}
+bool
+isc_tls_cipherlist_valid(const char *cipherlist) {
+ isc_tlsctx_t *tmp_ctx = NULL;
+ const SSL_METHOD *method = NULL;
+ bool result;
+ REQUIRE(cipherlist != NULL);
+
+ if (*cipherlist == '\0') {
+ return (false);
+ }
+
+ method = TLS_server_method();
+ if (method == NULL) {
+ return (false);
+ }
+ tmp_ctx = SSL_CTX_new(method);
+ if (tmp_ctx == NULL) {
+ return (false);
+ }
+
+ result = SSL_CTX_set_cipher_list(tmp_ctx, cipherlist) == 1;
+
+ isc_tlsctx_free(&tmp_ctx);
+
+ return (result);
+}
+
+void
+isc_tlsctx_set_cipherlist(isc_tlsctx_t *ctx, const char *cipherlist) {
+ REQUIRE(ctx != NULL);
+ REQUIRE(cipherlist != NULL);
+ REQUIRE(*cipherlist != '\0');
+
+ RUNTIME_CHECK(SSL_CTX_set_cipher_list(ctx, cipherlist) == 1);
+}
+
isc_tls_t *
isc_tls_create(isc_tlsctx_t *ctx) {
isc_tls_t *newctx = NULL;
{ "hostname", &cfg_type_qstring, 0 },
{ "dhparam-file", &cfg_type_qstring, 0 },
{ "protocols", &cfg_type_tlsprotos, 0 },
- { "ciphers", &cfg_type_astring, CFG_CLAUSEFLAG_EXPERIMENTAL },
+ { "ciphers", &cfg_type_astring, 0 },
{ NULL, NULL, 0 }
};
const char *cert;
uint32_t protocols;
const char *dhparam_file;
+ const char *ciphers;
} ns_listen_tls_params_t;
/***
return (ISC_R_FAILURE);
}
}
+
+ if (tls_params->ciphers != NULL) {
+ isc_tlsctx_set_cipherlist(sslctx, tls_params->ciphers);
+ }
}
elt = isc_mem_get(mctx, sizeof(*elt));