Restore disabled unused 'tls' options: 'ca-file' and 'hostname'

author Artem Boldariev <artem@boldariev.com>

Tue, 25 Jan 2022 16:05:04 +0000 (18:05 +0200)

committer Artem Boldariev <artem@boldariev.com>

Mon, 28 Mar 2022 13:22:53 +0000 (16:22 +0300)
author Artem Boldariev <artem@boldariev.com>
Tue, 25 Jan 2022 16:05:04 +0000 (18:05 +0200)
committer Artem Boldariev <artem@boldariev.com>
Mon, 28 Mar 2022 13:22:53 +0000 (16:22 +0300)
diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst

index 9b61c12f3f88af678beda8edea36e98837a11b52..2f2de71e83e167237856b9b3d2b0cd01d699a207 100644 (file)
--- a/bin/named/named.conf.rst
+++ b/bin/named/named.conf.rst
@@ -560,9 +560,11 @@ TLS
  ::
  
    tls string {
+       ca-file quoted_string;
         cert-file quoted_string;
         ciphers string;
         dhparam-file quoted_string;
+       hostname quoted_string;
         key-file quoted_string;
         prefer-server-ciphers boolean;
         protocols { string; ... };
diff --git a/bin/named/transportconf.c b/bin/named/transportconf.c

index 54c61962423556275fb53703d0c3ed4d077bd5fa..a0417f76aaaf139b776be729e1793380ef1ea627 100644 (file)
--- a/bin/named/transportconf.c
+++ b/bin/named/transportconf.c
@@ -122,16 +122,10 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
                 parse_transport_bool_option(
                         doh, transport, "prefer-server-ciphers",
                         dns_transport_set_prefer_server_ciphers)
-#if 0
-               /*
-                * The following two options need to remain unavailable until
-                * TLS certificate verification gets implemented.
-                */
-               parse_transport_option(doh, transport, "ca-file",
-                                      dns_transport_set_cafile);
+                       parse_transport_option(doh, transport, "ca-file",
+                                              dns_transport_set_cafile);
                 parse_transport_option(doh, transport, "hostname",
                                        dns_transport_set_hostname);
-#endif
         }
  
         return (ISC_R_SUCCESS);
@@ -180,16 +174,10 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
                 parse_transport_bool_option(
                         tls, transport, "prefer-server-ciphers",
                         dns_transport_set_prefer_server_ciphers)
-#if 0
-               /*
-                * The following two options need to remain unavailable until
-                * TLS certificate verification gets implemented.
-                */
-               parse_transport_option(tls, transport, "ca-file",
-                                      dns_transport_set_cafile);
+                       parse_transport_option(tls, transport, "ca-file",
+                                              dns_transport_set_cafile);
                 parse_transport_option(tls, transport, "hostname",
                                        dns_transport_set_hostname);
-#endif
         }
  
         return (ISC_R_SUCCESS);
diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf

index 5bff3e08ba1d371416cef96bf32fa0bde0e6380d..340f620ac53a3ae5e8d7cb1cafd59dae1b722ca3 100644 (file)
--- a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
+++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
@@ -14,4 +14,5 @@
  # In some cases a "tls" statement may omit key-file and cert-file.
  tls local-tls {
      protocols {TLSv1.2;};
+    hostname "fqdn.example.com";
  };
diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst

index 8179d3a368f465f18d7a91fd111470c9a25fa796..8a6c7ee67c800d04b6d033c8e7998e32bde22b64 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -294,7 +294,7 @@ The following statements are supported:
          Declares communication channels to get access to :iscman:`named` statistics.
  
      ``tls``
-        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``dhparam-file``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
+        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
  
      ``http``
          Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
@@ -4803,6 +4803,9 @@ The following options can be specified in a ``tls`` statement:
      Path to a file containing the TLS certificate to be used for
      the connection.
  
+  ``ca-file``
+    Path to a file containing trusted TLS certificates.
+
    ``dhparam-file``
      Path to a file containing Diffie-Hellman parameters,
      which is needed to enable the cipher suites depending on the
@@ -4810,6 +4813,9 @@ The following options can be specified in a ``tls`` statement:
      specified is essential for enabling perfect forward secrecy capable
      ciphers in TLSv1.2.
  
+  ``hostname``
+    The hostname associated with the certificate.
+
    ``protocols``
      Allowed versions of the TLS protocol. TLS version 1.2 and higher are
      supported, depending on the cryptographic library in use. Multiple
diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in

index 08ed18584ebaaa01582fad52637d44e010fc40d6..406cdfa5c22870be218cb26676d755d9b6f0a87e 100644 (file)
--- a/doc/man/named.conf.5in
+++ b/doc/man/named.conf.5in
@@ -634,9 +634,11 @@ statistics\-channels {
  .nf
  .ft C
  tls string {
+      ca\-file quoted_string;
        cert\-file quoted_string;
        ciphers string;
        dhparam\-file quoted_string;
+      hostname quoted_string;
        key\-file quoted_string;
        prefer\-server\-ciphers boolean;
        protocols { string; ... };
diff --git a/doc/misc/options b/doc/misc/options

index 673cd3b791592d862bb839cca87a4b8acc90a1ad..eb86067902293544e962bbe741763292bf7839fb 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -449,9 +449,11 @@ statistics-channels {
  }; // may occur multiple times
  
  tls <string> {
+        ca-file <quoted_string>;
          cert-file <quoted_string>;
          ciphers <string>;
          dhparam-file <quoted_string>;
+        hostname <quoted_string>;
          key-file <quoted_string>;
          prefer-server-ciphers <boolean>;
          protocols { <string>; ... };
diff --git a/doc/misc/options.active b/doc/misc/options.active

index f95a9018765a79c0dc8ebfc5c96d6eafb37e09f9..2d832b57d2973bfa1fb3298a27c3dbfe00411af0 100644 (file)
--- a/doc/misc/options.active
+++ b/doc/misc/options.active
@@ -445,9 +445,11 @@ statistics-channels {
  }; // may occur multiple times
  
  tls <string> {
+        ca-file <quoted_string>;
          cert-file <quoted_string>;
          ciphers <string>;
          dhparam-file <quoted_string>;
+        hostname <quoted_string>;
          key-file <quoted_string>;
          prefer-server-ciphers <boolean>;
          protocols { <string>; ... };
diff --git a/doc/misc/tls.grammar.rst b/doc/misc/tls.grammar.rst

index 8e572e15ec3aa7fb651c611ddafa3c5314c17192..fec9c738ccac229ac70c1605a4ff04b84c136823 100644 (file)
--- a/doc/misc/tls.grammar.rst
+++ b/doc/misc/tls.grammar.rst
@@ -12,9 +12,11 @@
  ::
  
    tls <string> {
+       ca-file <quoted_string>;
         cert-file <quoted_string>;
         ciphers <string>;
         dhparam-file <quoted_string>;
+       hostname <quoted_string>;
         key-file <quoted_string>;
         prefer-server-ciphers <boolean>;
         protocols { <string>; ... };
diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c

index 203e066926c6ec57c626777ae0edab75659afd06..14499fbdea200622a69672a3f3241f2ee50e9f0a 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -3936,14 +3936,8 @@ static cfg_type_t cfg_type_tlsprotos = { "tls_protocols",
  static cfg_clausedef_t tls_clauses[] = {
         { "key-file", &cfg_type_qstring, 0 },
         { "cert-file", &cfg_type_qstring, 0 },
-#if 0
-       /*
-        * The following two options need to remain unavailable until TLS
-        * certificate verification gets implemented.
-        */
         { "ca-file", &cfg_type_qstring, 0 },
         { "hostname", &cfg_type_qstring, 0 },
-#endif
         { "dhparam-file", &cfg_type_qstring, 0 },
         { "protocols", &cfg_type_tlsprotos, 0 },
         { "ciphers", &cfg_type_astring, 0 },
author	Artem Boldariev <artem@boldariev.com>
	Tue, 25 Jan 2022 16:05:04 +0000 (18:05 +0200)
committer	Artem Boldariev <artem@boldariev.com>
	Mon, 28 Mar 2022 13:22:53 +0000 (16:22 +0300)
bin/named/named.conf.rst		patch \| blob \| blame \| history
bin/named/transportconf.c		patch \| blob \| blame \| history
bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf		patch \| blob \| blame \| history
doc/arm/reference.rst		patch \| blob \| blame \| history
doc/man/named.conf.5in		patch \| blob \| blame \| history
doc/misc/options		patch \| blob \| blame \| history
doc/misc/options.active		patch \| blob \| blame \| history
doc/misc/tls.grammar.rst		patch \| blob \| blame \| history
lib/isccfg/namedconf.c		patch \| blob \| blame \| history