;;
esac
-# check for system TLS preference if requested
-AC_ARG_ENABLE(system-tls, AS_HELP_STRING([--enable-system-tls],[Enable preference of system configured TLS socket options]))
-case "$enable_system_tls" in
- yes)
- AC_DEFINE([USE_SYSTEM_TLS], [1], [Define to 1 to prefer TLS crypto settings from the system.])
- SYSTEM_TLS_DEFAULT="yes"
- ;;
- no|*)
- SYSTEM_TLS_DEFAULT="no"
- ;;
-esac
-AC_SUBST([SYSTEM_TLS_DEFAULT])
-
# check for ipset if requested
AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module]))
case "$enable_ipset" in
cfg->tls_ciphers, cfg->tls_ciphersuites,
(cfg->tls_session_ticket_keys.first &&
cfg->tls_session_ticket_keys.first->str[0] != 0),
- is_dot, is_doh, cfg->tls_use_system_policy_versions))) {
+ is_dot, is_doh, cfg->tls_protocols))) {
fatal_exit("could not set up listen SSL_CTX");
}
}
log_crypto_err("could not SSL_CTX_new");
return 0;
}
- if(!listen_sslctx_setup(rc->ctx, cfg->tls_use_system_policy_versions)) {
+ if(!listen_sslctx_setup(rc->ctx, cfg->tls_protocols)) {
return 0;
}
FR_CHECK_CHANGED_CFG("http_notls_downstream", http_notls_downstream, changed_str);
FR_CHECK_CHANGED_CFG("https-port", https_port, changed_str);
FR_CHECK_CHANGED_CFG("tls-port", ssl_port, changed_str);
+ FR_CHECK_CHANGED_CFG_STR("tls-protocols", tls_protocols, changed_str);
FR_CHECK_CHANGED_CFG_STRLIST("proxy-protocol-port", proxy_protocol_port, changed_str);
FR_CHECK_CHANGED_CFG_STRLIST("tls-additional-port", tls_additional_port, changed_str);
FR_CHECK_CHANGED_CFG_STR("interface-automatic-ports", if_automatic_ports, changed_str);
m += getmem_config_strlist(cfg->tls_session_ticket_keys.first);
m += getmem_str(cfg->tls_ciphers);
m += getmem_str(cfg->tls_ciphersuites);
+ m += getmem_str(cfg->tls_protocols);
m += getmem_str(cfg->http_endpoint);
m += (cfg->outgoing_avail_ports?65536*sizeof(int):0);
m += getmem_str(cfg->target_fetch_policy);
COPY_VAR_ptr(tls_session_ticket_keys.last);
COPY_VAR_ptr(tls_ciphers);
COPY_VAR_ptr(tls_ciphersuites);
+ COPY_VAR_ptr(tls_protocols);
COPY_VAR_int(tls_use_sni);
- COPY_VAR_int(tls_use_system_policy_versions);
COPY_VAR_int(https_port);
COPY_VAR_ptr(http_endpoint);
COPY_VAR_uint32_t(http_max_streams);
/** create new socket (unconnected, not base-added), or NULL malloc fail */
static struct tap_socket* tap_socket_new_tlsaccept(char* ip,
void (*ev_cb)(int, short, void*), void* data, char* server_key,
- char* server_cert, char* verifypem)
+ char* server_cert, char* verifypem, char* tls_protocols)
{
struct tap_socket* s = calloc(1, sizeof(*s));
if(!s) {
s->ev_cb = ev_cb;
s->data = data;
s->sslctx = listen_sslctx_create(server_key, server_cert, verifypem,
- NULL, NULL, 0, 0, 0, 0);
+ NULL, NULL, 0, 0, 0, tls_protocols);
if(!s->sslctx) {
log_err("could not create ssl context");
free(s->ip);
/** setup tls accept sockets */
static void setup_tls_list(struct main_tap_data* maindata,
struct config_strlist_head* tls_list, char* server_key,
- char* server_cert, char* verifypem)
+ char* server_cert, char* verifypem, char* tls_protocols)
{
struct config_strlist* item;
for(item = tls_list->first; item; item = item->next) {
struct tap_socket* s;
s = tap_socket_new_tlsaccept(item->str, &dtio_mainfdcallback,
- maindata, server_key, server_cert, verifypem);
+ maindata, server_key, server_cert, verifypem, tls_protocols);
if(!s) fatal_exit("out of memory");
if(!tap_socket_list_insert(&maindata->acceptlist, s))
fatal_exit("out of memory");
setup_and_run(struct config_strlist_head* local_list,
struct config_strlist_head* tcp_list,
struct config_strlist_head* tls_list, char* server_key,
- char* server_cert, char* verifypem)
+ char* server_cert, char* verifypem, char* tls_protocols)
{
time_t secs = 0;
struct timeval now;
setup_local_list(maindata, local_list);
setup_tcp_list(maindata, tcp_list);
setup_tls_list(maindata, tls_list, server_key, server_cert,
- verifypem);
+ verifypem, tls_protocols);
if(!tap_socket_list_addevs(maindata->acceptlist, base))
fatal_exit("could not setup accept events");
if(verbosity) log_info("start of service");
struct config_strlist_head tcp_list;
struct config_strlist_head tls_list;
char* server_key = NULL, *server_cert = NULL, *verifypem = NULL;
+
+ char* tls_protocols = "TLSv1.2 TLSv1.3";
#ifdef USE_WINSOCK
WSADATA wsa_data;
if(WSAStartup(MAKEWORD(2,2), &wsa_data) != 0) {
#endif /* HAVE_SSL */
}
setup_and_run(&local_list, &tcp_list, &tls_list, server_key,
- server_cert, verifypem);
+ server_cert, verifypem, tls_protocols);
config_delstrlist(local_list.first);
config_delstrlist(tcp_list.first);
config_delstrlist(tls_list.first);
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
# Use the SNI extension for TLS connections. Default is yes.
- # Changing the value requires a reload.
+ # Changing the value requires a restart.
# tls-use-sni: yes
- # Allow general-purpose version-flexible TLS server configuration that
- # may be further restricted by the system's policy.
- # Use only if you want to support legacy TLS client connections.
- # Default is a compilation choice.
- # With 'no' Unbound will only use the latest available TLS version.
- # Changing the value requires a reload.
- # tls-use-system-policy-versions: no
+ # TLS protocols.
+ # Changing the value requires a restart.
+ # tls-protocols: "TLSv1.2 TLSv1.3"
# Add the secret file for TLS Session Ticket.
# Secret file must be 80 bytes of random data.
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Changing the value requires a reload.
+Changing the value requires a restart.
.UNINDENT
.UNINDENT
.sp
.UNINDENT
.INDENT 0.0
.TP
-.B tls\-use\-system\-policy\-versions: \fI<yes or no>\fP
-Enable or disable general\-purpose version\-flexible TLS server configuration
-when serving TLS.
-This will allow the whole list of available TLS versions provided by the
-crypto library, which may have been further restricted by the system\(aqs
-crypto policy.
-.sp
-If disabled Unbound only uses the latest available TLS version.
-.sp
-The default depends on a compilation choice, it is set
-at @SYSTEM_TLS_DEFAULT@ .
-.sp
-\fBCAUTION:\fP
-.INDENT 7.0
-.INDENT 3.5
-Use only if you want to support legacy TLS client connections.
-.UNINDENT
-.UNINDENT
+.B tls\-protocols: \fI\(dq<list of protocols>\(dq\fP
+Specify the allowed TLS protocol versions to use, in no particular order.
+Possible values are \fBTLSv1.2\fP and \fBTLSv1.3\fP\&.
+Enclose list of protocols in quotes (\fB\(dq\(dq\fP) and put spaces between them.
.sp
\fBNOTE:\fP
.INDENT 7.0
.INDENT 3.5
-Changing the value requires a reload.
+Changing the value requires a restart.
.UNINDENT
.UNINDENT
.sp
-Default: @SYSTEM_TLS_DEFAULT@
+Default: \(dqTLSv1.2 TLSv1.3\(dq
.UNINDENT
.INDENT 0.0
.TP
@@UAHL@unbound.conf@tls-use-sni@@: *<yes or no>*
Enable or disable sending the SNI extension on TLS connections.
- .. note:: Changing the value requires a reload.
+ .. note:: Changing the value requires a restart.
Default: yes
-@@UAHL@unbound.conf@tls-use-system-policy-versions@@: *<yes or no>*
- Enable or disable general-purpose version-flexible TLS server configuration
- when serving TLS.
- This will allow the whole list of available TLS versions provided by the
- crypto library, which may have been further restricted by the system's
- crypto policy.
+@@UAHL@unbound.conf@tls-protocols@@: *"<list of protocols>"*
+ Specify the allowed TLS protocol versions to use, in no particular order.
+ Possible values are ``TLSv1.2`` and ``TLSv1.3``.
+ Enclose list of protocols in quotes (``""``) and put spaces between them.
- If disabled Unbound only uses the latest available TLS version.
+ .. note:: Changing the value requires a restart.
- The default depends on a compilation choice, it is set
- at @SYSTEM_TLS_DEFAULT@ .
-
- .. caution:: Use only if you want to support legacy TLS client connections.
-
- .. note:: Changing the value requires a reload.
-
- Default: @SYSTEM_TLS_DEFAULT@
+ Default: "TLSv1.2 TLSv1.3"
@@UAHL@unbound.conf@pad-responses@@: *<yes or no>*
#ifdef HAVE_PWD_H
#include <pwd.h>
#endif
-#ifndef USE_SYSTEM_TLS
-#define USE_SYSTEM_TLS 0
-#endif
/** from cfg username, after daemonize setup performed */
uid_t cfg_uid = (uid_t)-1;
cfg->tls_cert_bundle = NULL;
cfg->tls_win_cert = 0;
cfg->tls_use_sni = 1;
- cfg->tls_use_system_policy_versions = USE_SYSTEM_TLS;
+ if(!(cfg->tls_protocols = strdup("TLSv1.2 TLSv1.3"))) goto error_exit;
cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
cfg->http_max_streams = 100;
else S_STR("tls-ciphers:", tls_ciphers)
else S_STR("tls-ciphersuites:", tls_ciphersuites)
else S_YNO("tls-use-sni:", tls_use_sni)
- else S_YNO("tls-use-system-policy-versions:", tls_use_system_policy_versions)
+ else if(strcmp(opt, "tls-protocols:") == 0) {
+ if(!cfg_tls_protocols_is_valid(val)) return 0;
+ free(cfg->tls_protocols);
+ return (cfg->tls_protocols = strdup(val)) != NULL;
+ }
else S_NUMBER_NONZERO("https-port:", https_port)
else S_STR("http-endpoint:", http_endpoint)
else S_NUMBER_NONZERO("http-max-streams:", http_max_streams)
else O_STR(opt, "tls-ciphers", tls_ciphers)
else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
else O_YNO(opt, "tls-use-sni", tls_use_sni)
- else O_YNO(opt, "tls-use-system-policy-versions", tls_use_system_policy_versions)
+ else O_STR(opt, "tls-protocols", tls_protocols)
else O_DEC(opt, "https-port", https_port)
else O_STR(opt, "http-endpoint", http_endpoint)
else O_UNS(opt, "http-max-streams", http_max_streams)
config_delstrlist(cfg->tls_session_ticket_keys.first);
free(cfg->tls_ciphers);
free(cfg->tls_ciphersuites);
+ free(cfg->tls_protocols);
free(cfg->http_endpoint);
if(cfg->log_identity) {
log_ident_revert_to_default();
#endif
}
+int
+cfg_tls_protocols_is_valid(const char* tls_protocols)
+{
+ const char* s = tls_protocols;
+ while(*s && isspace((unsigned char)*s)) s++;
+ while(*s && !isspace((unsigned char)*s)) {
+ if(strncmp(s, "TLSv1.2", 7) == 0 ||
+ strncmp(s, "TLSv1.3", 7) == 0) {
+ s += 7;
+ if(*s && !isspace((unsigned char)*s)) {
+ /* something is attached; fail */
+ return 0;
+ }
+ while(*s && isspace((unsigned char)*s))
+ s++;
+ continue;
+ }
+ return 0;
+ }
+ return 1;
+}
+
+void
+cfg_tls_protocols_allowed(const char* tls_protocols, int* allow12, int* allow13)
+{
+ const char* s = tls_protocols;
+ *allow12 = 0;
+ *allow13 = 0;
+ if(tls_protocols == NULL) return;
+ while(*s && isspace((unsigned char)*s)) s++;
+ while(*s && !isspace((unsigned char)*s)) {
+ if(strncmp(s, "TLSv1.2", 7) == 0) {
+ *allow12 = 1;
+ s += 7;
+ } else if(strncmp(s, "TLSv1.3", 7) == 0) {
+ *allow13 = 1;
+ s += 7;
+ } else {
+ /* Unknown word, this should never happen but skip to
+ * be safe */
+ while(*s && !isspace((unsigned char)*s))
+ s++;
+ }
+ while(*s && isspace((unsigned char)*s))
+ s++;
+ }
+}
+
int
file_get_mtime(const char* file, time_t* mtime, long* ns, int* nonexist)
{
char* tls_ciphersuites;
/** if SNI is to be used */
int tls_use_sni;
- /** if all TLS versions can be used; based on system policy (if any) */
- int tls_use_system_policy_versions;
+ /** TLS protocols */
+ char* tls_protocols;
/** port on which to provide DNS over HTTPS service */
int https_port;
*/
int cfg_ports_list_contains(char* ports, int p);
+/**
+ * Check if the configured string contains supported TLS protocols.
+ * @param tls_protocols: String with TLS protocols.
+ * @return true if all options are valid, else false.
+ */
+int cfg_tls_protocols_is_valid(const char* tls_protocols);
+
+/**
+ * Based on the configured TLS protocols fill which ones are allowed.
+ * @param tls_protocols: String with TLS protocols.
+ * @param allow12: will be true if TLSv1.2 is configured.
+ * @param allow13: will be true if TLSv1.3 is configured.
+ */
+void cfg_tls_protocols_allowed(const char* tls_protocols, int* allow12, int* allow13);
+
/** get the file mtime stat (or error, with errno and nonexist) */
int file_get_mtime(const char* file, time_t* mtime, long* ns, int* nonexist);
#pragma GCC diagnostic ignored "-Wsign-compare"
#endif
-#include <ctype.h>
#include <strings.h>
#ifdef HAVE_GLOB_H
# include <glob.h>
tls-ciphers{COLON} { YDVAR(1, VAR_TLS_CIPHERS) }
tls-ciphersuites{COLON} { YDVAR(1, VAR_TLS_CIPHERSUITES) }
tls-use-sni{COLON} { YDVAR(1, VAR_TLS_USE_SNI) }
-tls-use-system-policy-versions{COLON} { YDVAR(1, VAR_TLS_USE_SYSTEM_POLICY_VERSIONS) }
+tls-protocols{COLON} { YDVAR(1, VAR_TLS_PROTOCOLS) }
https-port{COLON} { YDVAR(1, VAR_HTTPS_PORT) }
http-endpoint{COLON} { YDVAR(1, VAR_HTTP_ENDPOINT) }
http-max-streams{COLON} { YDVAR(1, VAR_HTTP_MAX_STREAMS) }
%token VAR_DISCARD_TIMEOUT VAR_WAIT_LIMIT VAR_WAIT_LIMIT_COOKIE
%token VAR_WAIT_LIMIT_NETBLOCK VAR_WAIT_LIMIT_COOKIE_NETBLOCK
%token VAR_STREAM_WAIT_SIZE VAR_TLS_CIPHERS VAR_TLS_CIPHERSUITES VAR_TLS_USE_SNI
-%token VAR_TLS_USE_SYSTEM_POLICY_VERSIONS
+%token VAR_TLS_PROTOCOLS
%token VAR_IPSET VAR_IPSET_NAME_V4 VAR_IPSET_NAME_V6
%token VAR_TLS_SESSION_TICKET_KEYS VAR_RPZ VAR_TAGS VAR_RPZ_ACTION_OVERRIDE
%token VAR_RPZ_CNAME_OVERRIDE VAR_RPZ_LOG VAR_RPZ_LOG_NAME
server_stream_wait_size | server_tls_ciphers |
server_tls_ciphersuites | server_tls_session_ticket_keys |
server_answer_cookie | server_cookie_secret | server_ip_ratelimit_cookie |
- server_tls_use_sni | server_edns_client_string |
- server_tls_use_system_policy_versions |
+ server_tls_use_sni | server_edns_client_string | server_tls_protocols |
server_edns_client_string_opcode | server_nsid |
server_zonemd_permissive_mode | server_max_reuse_tcp_queries |
server_tcp_reuse_timeout | server_tcp_auth_query_timeout |
free($2);
}
;
-server_tls_use_system_policy_versions: VAR_TLS_USE_SYSTEM_POLICY_VERSIONS STRING_ARG
+server_tls_protocols: VAR_TLS_PROTOCOLS STRING_ARG
{
- OUTYY(("P(server_tls_use_system_policy_versions:%s)\n", $2));
- if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
- yyerror("expected yes or no.");
- else cfg_parser->cfg->tls_use_system_policy_versions = (strcmp($2, "yes")==0);
- free($2);
+ OUTYY(("P(server_tls_protocols:%s)\n", $2));
+ if(!cfg_tls_protocols_is_valid($2))
+ yyerror("tls-protocols: valid values are 'TLSv1.2' and 'TLSv1.3'.");
+ free(cfg_parser->cfg->tls_protocols);
+ cfg_parser->cfg->tls_protocols = $2;
}
;
server_https_port: VAR_HTTPS_PORT STRING_ARG
#endif /* HAVE_SSL */
int
-listen_sslctx_setup(void* ctxt, int use_system_versions)
+listen_sslctx_setup(void* ctxt, const char* tls_protocols)
{
#ifdef HAVE_SSL
+ int allow12, allow13;
SSL_CTX* ctx = (SSL_CTX*)ctxt;
+ cfg_tls_protocols_allowed(tls_protocols, &allow12, &allow13);
+
/* no SSLv2, SSLv3 because has defects */
#if SSL_OP_NO_SSLv2 != 0
if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2) & SSL_OP_NO_SSLv2)
return 0;
}
#endif
- if(!use_system_versions) {
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
- != SSL_OP_NO_SSLv3){
- log_crypto_err("could not set SSL_OP_NO_SSLv3");
- return 0;
- }
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3) & SSL_OP_NO_SSLv3)
+ != SSL_OP_NO_SSLv3){
+ log_crypto_err("could not set SSL_OP_NO_SSLv3");
+ return 0;
+ }
#if defined(SSL_OP_NO_TLSv1) && defined(SSL_OP_NO_TLSv1_1)
- /* if we have tls 1.1 disable 1.0 */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
- != SSL_OP_NO_TLSv1){
- log_crypto_err("could not set SSL_OP_NO_TLSv1");
- return 0;
- }
+ /* if we have tls 1.1 disable 1.0 */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1) & SSL_OP_NO_TLSv1)
+ != SSL_OP_NO_TLSv1){
+ log_crypto_err("could not set SSL_OP_NO_TLSv1");
+ return 0;
+ }
#endif
#if defined(SSL_OP_NO_TLSv1_1) && defined(SSL_OP_NO_TLSv1_2)
- /* if we have tls 1.2 disable 1.1 */
- if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
- != SSL_OP_NO_TLSv1_1){
- log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
- return 0;
- }
+ /* if we have tls 1.2 disable 1.1 */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1) & SSL_OP_NO_TLSv1_1)
+ != SSL_OP_NO_TLSv1_1){
+ log_crypto_err("could not set SSL_OP_NO_TLSv1_1");
+ return 0;
+ }
#endif
-#if defined(SSL_OP_NO_TLSv1_2) && defined(SSL_OP_NO_TLSv1_3)
- /* if we have tls 1.3 disable 1.2 */
+#if defined(SSL_OP_NO_TLSv1_2)
+ if(!allow12) {
+ /* we are not allowed to use TLS1.2 */
if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2) & SSL_OP_NO_TLSv1_2)
!= SSL_OP_NO_TLSv1_2){
log_crypto_err("could not set SSL_OP_NO_TLSv1_2");
return 0;
}
+ }
#endif
+#if defined(SSL_OP_NO_TLSv1_3)
+ if(!allow13) {
+ /* we are not allowed to use TLS1.3 */
+ if((SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3) & SSL_OP_NO_TLSv1_3)
+ != SSL_OP_NO_TLSv1_3){
+ log_crypto_err("could not set SSL_OP_NO_TLSv1_3");
+ return 0;
+ }
}
+#endif
#if defined(SSL_OP_NO_RENEGOTIATION)
/* disable client renegotiation */
if((SSL_CTX_set_options(ctx, SSL_OP_NO_RENEGOTIATION) &
SSL_CTX_set_security_level(ctx, 0);
#endif
#else
- (void)ctxt;
+ (void)ctxt; (void)tls_protocols;
#endif /* HAVE_SSL */
return 1;
}
void* listen_sslctx_create(const char* key, const char* pem,
const char* verifypem, const char* tls_ciphers,
const char* tls_ciphersuites, int set_ticket_keys_cb,
- int is_dot, int is_doh, int use_system_versions)
+ int is_dot, int is_doh, const char* tls_protocols)
{
#ifdef HAVE_SSL
SSL_CTX* ctx = SSL_CTX_new(SSLv23_server_method());
SSL_CTX_free(ctx);
return NULL;
}
- if(!listen_sslctx_setup(ctx, use_system_versions)) {
+ if(!listen_sslctx_setup(ctx, tls_protocols)) {
SSL_CTX_free(ctx);
return NULL;
}
/**
* Set SSL_OP_NOxxx options on SSL context to disable bad crypto
* @param ctxt: SSL_CTX*
- * @param use_system_versions: rely on the system policy (if any) for allowed
- * TLS versions
+ * @param tls_protocols: configure string with allowed TLS protocols to use.
* @return false on failure.
*/
-int listen_sslctx_setup(void* ctxt, int use_system_versions);
+int listen_sslctx_setup(void* ctxt, const char* tls_protocols);
/**
* Further setup of listening SSL context, after keys loaded.
* to be set.
* @param is_dot: if the TLS connection is for DoT to set the appropriate ALPN.
* @param is_doh: if the TLS connection is for DoH to set the appropriate ALPN.
- * @param use_system_versions: rely on the system policy (if any) for allowed
- * TLS versions
+ * @param tls_protocols: configure string with allowed TLS protocols to use.
* return SSL_CTX* or NULL on failure (logged).
*/
void* listen_sslctx_create(const char* key, const char* pem,
const char* verifypem, const char* tls_ciphers,
const char* tls_ciphersuites, int set_ticket_keys_cb,
- int is_dot, int is_doh, int use_system_versions);
+ int is_dot, int is_doh, const char* tls_protocols);
/**
* create SSL connect context
cfg->tls_ciphers, cfg->tls_ciphersuites,
(cfg->tls_session_ticket_keys.first &&
cfg->tls_session_ticket_keys.first->str[0] != 0),
- 1, 0, cfg->tls_use_system_policy_versions))) {
+ 1, 0, cfg->tls_protocols))) {
fatal_exit("could not set up listen SSL_CTX");
}
#ifdef HAVE_NGHTTP2_NGHTTP2_H
cfg->tls_ciphers, cfg->tls_ciphersuites,
(cfg->tls_session_ticket_keys.first &&
cfg->tls_session_ticket_keys.first->str[0] != 0),
- 0, 1, cfg->tls_use_system_policy_versions))) {
+ 0, 1, cfg->tls_protocols))) {
fatal_exit("could not set up listen doh SSL_CTX");
}
}
projects / thirdparty / unbound.git / commitdiff
