- Merge #1401: Add a new build-time option for system TLS.
The --enable-system-tls flag enables the
tls-use-system-policy-versions setting by default.
#endif
+/* Define to 1 to prefer TLS crypto settings from the system. */
+#undef USE_SYSTEM_TLS
+
/* Define this to enable server TCP Fast Open. */
#undef USE_TCP_FASTOPEN
SOURCEDETERMINE
IPSET_OBJ
IPSET_SRC
+SYSTEM_TLS_DEFAULT
IPSECMOD_HEADER
IPSECMOD_OBJ
CACHEDB_OBJ
with_libsodium
enable_cachedb
enable_ipsecmod
+enable_system_tls
enable_ipset
with_libmnl
enable_explicit_port_randomisation
storage
--enable-ipsecmod Enable ipsecmod module that facilitates
opportunistic IPsec
+ --enable-system-tls Enable preference of system configured TLS socket
+ options
--enable-ipset enable ipset module
--disable-explicit-port-randomisation
disable explicit source port randomisation and rely
;;
esac
+# check for system TLS preference if requested
+# Check whether --enable-system-tls was given.
+if test ${enable_system_tls+y}
+then :
+ enableval=$enable_system_tls;
+fi
+
+case "$enable_system_tls" in
+ yes)
+
+printf "%s\n" "#define USE_SYSTEM_TLS 1" >>confdefs.h
+
+ SYSTEM_TLS_DEFAULT="yes"
+ ;;
+ no|*)
+ SYSTEM_TLS_DEFAULT="no"
+ ;;
+esac
+
+
# check for ipset if requested
# Check whether --enable-ipset was given.
if test ${enable_ipset+y}
case "$enable_system_tls" in
yes)
AC_DEFINE([USE_SYSTEM_TLS], [1], [Define to 1 to prefer TLS crypto settings from the system.])
+ SYSTEM_TLS_DEFAULT="yes"
;;
no|*)
- # nothing
+ SYSTEM_TLS_DEFAULT="no"
;;
esac
+AC_SUBST([SYSTEM_TLS_DEFAULT])
# check for ipset if requested
AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module]))
+9 February 2026: Wouter
+ - Merge #1401: Add a new build-time option for system TLS.
+ The --enable-system-tls flag enables the
+ tls-use-system-policy-versions setting by default.
+
6 February 2026: Yorgos
- Fix #1389: [FR] replacement with ECC-GOST12 according to RFC9558.
Patch contributed by Igor V. Ruzanov, available in
# Allow general-purpose version-flexible TLS server configuration that
# may be further restricted by the system's policy.
# Use only if you want to support legacy TLS client connections.
- # Default is no and Unbound will only use the latest available TLS
- # version.
+ # Default is a compilation choice.
+ # With 'no' Unbound will only use the latest available TLS version.
# Changing the value requires a reload.
# tls-use-system-policy-versions: no
@@UAHL@unbound.conf@tls-use-system-policy-versions@@: *<yes or no>*
- Enable or disable general-puspose version-flexible TLS server configuration
+ Enable or disable general-purpose version-flexible TLS server configuration
when serving TLS.
This will allow the whole list of available TLS versions provided by the
crypto library, which may have been further restricted by the system's
crypto policy.
- By default Unbound only uses the latest available TLS version.
+ If disabled Unbound only uses the latest available TLS version.
+
+ The default depends on a compilation choice, it is set
+ at @SYSTEM_TLS_DEFAULT@ .
.. caution:: Use only if you want to support legacy TLS client connections.
.. note:: Changing the value requires a reload.
- Default: no
+ Default: @SYSTEM_TLS_DEFAULT@
@@UAHL@unbound.conf@pad-responses@@: *<yes or no>*
projects / thirdparty / unbound.git / commitdiff
