ca-file quoted_string;
cert-file quoted_string;
ciphers string; // experimental
- dh-param quoted_string; // experimental
+ dhparam-file quoted_string;
hostname quoted_string;
key-file quoted_string;
protocols { string; ... };
const cfg_obj_t *http_server = NULL;
in_port_t port = 0;
isc_dscp_t dscp = -1;
- const char *key = NULL, *cert = NULL;
+ const char *key = NULL, *cert = NULL, *dhparam_file = NULL;
bool do_tls = false, no_tls = false, http = false;
ns_listenelt_t *delt = NULL;
uint32_t tls_protos = 0;
} else if (strcasecmp(tlsname, "ephemeral") == 0) {
do_tls = true;
} else {
- const cfg_obj_t *keyobj = NULL, *certobj = NULL;
+ const cfg_obj_t *keyobj = NULL, *certobj = NULL,
+ *dhparam_obj = NULL;
const cfg_obj_t *tlsmap = NULL;
const cfg_obj_t *tls_proto_list = NULL;
tls_protos |= ver;
}
}
+
+ if (cfg_map_get(tlsmap, "dhparam-file", &dhparam_obj) ==
+ ISC_R_SUCCESS) {
+ dhparam_file = cfg_obj_asstring(dhparam_obj);
+ }
}
}
tls_params = (ns_listen_tls_params_t){ .key = key,
.cert = cert,
- .protocols = tls_protos };
+ .protocols = tls_protos,
+ .dhparam_file = dhparam_file };
httpobj = cfg_tuple_get(ltup, "http");
if (httpobj != NULL && cfg_obj_isstring(httpobj)) {
protocols { TLSv1.2; };
key-file "key.pem";
cert-file "cert.pem";
+ dhparam-file "dhparam.pem";
};
http local-http-server {
protocols { TLSv1.2; };
key-file "key.pem";
cert-file "cert.pem";
+ dhparam-file "dhparam.pem";
};
options {
--- /dev/null
+-----BEGIN DH PARAMETERS-----
+MIIBiAKCAYEA5D/Oioe+G+EMf/9RVxmcV4rZAtqZpVTFHcX0ZulvdiQGCQmopm6K
+3+0uoU2J6WVMjhna5nHD2NO9miRDI/jIxX9g9k6PedSB4o3fSTtkAnGtUbB8S+Ab
+EHtWfd7FTES8P1n16HN7BfPXVbP8zTcK+jO63KdQoxueYoETcrw0Myi9Lm8ri8os
+O4oQ+XAH7GzZ60bcYV9jge0XIRUGVnYZDjWMlnwMvZyjLivxKXTC9HPNA6FF1/0H
+0LPhsfjdoLNsVHFzfQz7QELMfHbTd0C8y0UMDQw9FqUp0esHZ5gsTlqnDHp2ZHoR
+JDfNl4yVO5Gv4HiFJ0NSdggefhESU3FRAOhMmUkctOCxk5hyPqGMsvofOajY2MBp
+eCffrKuAU6/dGUeq8inwrZlAMIZ20WyskHmbHnc4DXo2Uo6xSZo3xyEq1ofXXwTZ
+vPw4e12so3RJAT2a8UsHf7DG1tH+9ke7HCAJQWxUizRFRsMi1Nl/7ikS4f3zgIbX
+GKz9+uk5eS6jAgEC
+-----END DH PARAMETERS-----
tls local {
key-file "key.pem";
cert-file "cert.pem";
+ dhparam-file "dhparam3072.pem";
};
http local {
Declares communication channels to get access to ``named`` statistics.
``tls``
- Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``hostname``, and ``protocols``.
+ Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, and ``protocols``.
``http``
Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
``ca-file``
Path to a file containing trusted TLS certificates.
+ ``dhparam-file``
+ Path to a file containing Diffie-Hellman parameters,
+ which is needed to enable the cipher suites depending on the
+ Diffie-Hellman ephemeral key exchange (DHE). Having these parameters
+ specified is essential for enabling perfect forward secrecy capable
+ ciphers in TLSv1.2.
+
``hostname``
The hostname associated with the certificate.
ca\-file quoted_string;
cert\-file quoted_string;
ciphers string; // experimental
- dh\-param quoted_string; // experimental
+ dhparam\-file quoted_string;
hostname quoted_string;
key\-file quoted_string;
protocols { string; ... };
ca-file <quoted_string>;
cert-file <quoted_string>;
ciphers <string>; // experimental
- dh-param <quoted_string>; // experimental
+ dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
protocols { <string>; ... };
ca-file <quoted_string>;
cert-file <quoted_string>;
ciphers <string>; // experimental
- dh-param <quoted_string>; // experimental
+ dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
protocols { <string>; ... };
ca-file <quoted_string>;
cert-file <quoted_string>;
ciphers <string>; // experimental
- dh-param <quoted_string>; // experimental
+ dhparam-file <quoted_string>;
hostname <quoted_string>;
key-file <quoted_string>;
protocols { <string>; ... };
*\li 'name' != NULL.
*/
+bool
+isc_tlsctx_load_dhparams(isc_tlsctx_t *ctx, const char *dhparams_file);
+/*%<
+ * Load Diffie-Hellman parameters file and apply it to the given TLS context
+ * 'ctx'.
+ *
+ * Requires:
+ * \li 'ctx' != NULL;
+ * \li 'dhaprams_file' a valid pointer to a non empty string.
+ */
+
isc_tls_t *
isc_tls_create(isc_tlsctx_t *ctx);
/*%<
#include <openssl/bn.h>
#include <openssl/conf.h>
+#include <openssl/dh.h>
#include <openssl/err.h>
#include <openssl/opensslv.h>
#include <openssl/rand.h>
(void)SSL_CTX_clear_options(ctx, clear_options);
}
+bool
+isc_tlsctx_load_dhparams(isc_tlsctx_t *ctx, const char *dhparams_file) {
+ REQUIRE(ctx != NULL);
+ REQUIRE(dhparams_file != NULL);
+ REQUIRE(*dhparams_file != '\0');
+
+#ifdef SSL_CTX_set_tmp_dh
+ /* OpenSSL < 3.0 */
+ DH *dh = NULL;
+ FILE *paramfile;
+
+ paramfile = fopen(dhparams_file, "r");
+
+ if (paramfile) {
+ int check = 0;
+ dh = PEM_read_DHparams(paramfile, NULL, NULL, NULL);
+ fclose(paramfile);
+
+ if (dh == NULL) {
+ return (false);
+ } else if (DH_check(dh, &check) != 1 || check != 0) {
+ DH_free(dh);
+ return (false);
+ }
+ } else {
+ return (false);
+ }
+
+ if (SSL_CTX_set_tmp_dh(ctx, dh) != 1) {
+ DH_free(dh);
+ return (false);
+ }
+
+ DH_free(dh);
+#else
+ /* OpenSSL >= 3.0: SSL_CTX_set_tmp_dh() is deprecated in OpenSSL 3.0 */
+ EVP_PKEY *dh = NULL;
+ BIO *bio = NULL;
+
+ bio = BIO_new_file(dhparams_file, "r");
+ if (bio == NULL) {
+ return (false);
+ }
+
+ dh = PEM_read_bio_Parameters(bio, NULL);
+ if (dh == NULL) {
+ BIO_free(bio);
+ return (false);
+ }
+
+ if (SSL_CTX_set0_tmp_dh_pkey(ctx, dh) != 1) {
+ BIO_free(bio);
+ EVP_PKEY_free(dh);
+ return (false);
+ }
+
+ /* No need to call EVP_PKEY_free(dh) as the "dh" is owned by the
+ * SSL context at this point. */
+
+ BIO_free(bio);
+#endif
+
+ return (true);
+}
+
isc_tls_t *
isc_tls_create(isc_tlsctx_t *ctx) {
isc_tls_t *newctx = NULL;
{ "cert-file", &cfg_type_qstring, 0 },
{ "ca-file", &cfg_type_qstring, 0 },
{ "hostname", &cfg_type_qstring, 0 },
- { "dh-param", &cfg_type_qstring, CFG_CLAUSEFLAG_EXPERIMENTAL },
+ { "dhparam-file", &cfg_type_qstring, 0 },
{ "protocols", &cfg_type_tlsprotos, 0 },
{ "ciphers", &cfg_type_astring, CFG_CLAUSEFLAG_EXPERIMENTAL },
{ NULL, NULL, 0 }
const char *key;
const char *cert;
uint32_t protocols;
+ const char *dhparam_file;
} ns_listen_tls_params_t;
/***
if (tls_params->protocols != 0) {
isc_tlsctx_set_protocols(sslctx, tls_params->protocols);
}
+
+ if (tls_params->dhparam_file != NULL) {
+ if (!isc_tlsctx_load_dhparams(sslctx,
+ tls_params->dhparam_file))
+ {
+ isc_tlsctx_free(&sslctx);
+ return (ISC_R_FAILURE);
+ }
+ }
}
elt = isc_mem_get(mctx, sizeof(*elt));
./bin/tests/system/doth/clean.sh SH 2020,2021
./bin/tests/system/doth/example.axfr.good X 2021
./bin/tests/system/doth/ns2/cert.pem X 2021
+./bin/tests/system/doth/ns2/dhparam3072.pem X 2021
./bin/tests/system/doth/ns2/key.pem X 2021
./bin/tests/system/doth/setup.sh SH 2021
./bin/tests/system/doth/stress_http_quota.py PYTHON-BIN 2021