frontend->d_ciphers = boost::get<const string>((*vars)["ciphers"]);
}
+ if (vars->count("ciphersTLS13")) {
+ frontend->d_ciphers13 = boost::get<const string>((*vars)["ciphersTLS13"]);
+ }
+
if (vars->count("ticketKeyFile")) {
frontend->d_ticketKeyFile = boost::get<const string>((*vars)["ticketKeyFile"]);
}
``sessionTickets`` option added.
.. versionchanged:: 1.3.3
``numberOfStoredSessions`` option added.
+ .. versionchanged:: 1.4.0
+ ``ciphersTLS13`` option added.
Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate.
* ``interface=""``: str - Set the network interface to use.
* ``cpus={}``: table - Set the CPU affinity for this listener thread, asking the scheduler to run it on a single CPU id, or a set of CPU ids. This parameter is only available if the OS provides the pthread_setaffinity_np() function.
* ``provider``: str - The TLS library to use between GnuTLS and OpenSSL, if they were available and enabled at compilation time.
- * ``ciphers``: str - The TLS ciphers to use. The exact format depends on the provider used.
+ * ``ciphers``: str - The TLS ciphers to use. The exact format depends on the provider used. When the OpenSSL provder is used, ciphers for TLS 1.3 must be specified via ``ciphersTLS13``.
+ * ``ciphersTLS13``: str - The ciphers to use for TLS 1.3, when the OpenSSL provider is used. When the GnuTLS provider is used, ``ciphers`` applies regardless of the TLS protocol and this setting is not used.
* ``numberOfTicketsKeys``: int - The maximum number of tickets keys to keep in memory at the same time, if the provider supports it (GnuTLS doesn't, OpenSSL does). Only one key is marked as active and used to encrypt new tickets while the remaining ones can still be used to decrypt existing tickets after a rotation. Default to 5.
* ``ticketKeyFile``: str - The path to a file from where TLS tickets keys should be loaded, to support RFC 5077. These keys should be rotated often and never written to persistent storage to preserve forward secrecy. The default is to generate a random key. The OpenSSL provider supports several tickets keys to be able to decrypt existing sessions after the rotation, while the GnuTLS provider only supports one key.
* ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h).
}
}
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+ if (!fe.d_ciphers13.empty()) {
+ if (SSL_CTX_set_ciphersuites(d_tlsCtx.get(), fe.d_ciphers13.c_str()) != 1) {
+ ERR_print_errors_fp(stderr);
+ throw std::runtime_error("Error setting the TLS 1.3 cipher list to '" + fe.d_ciphers13 + "' for the TLS context on " + fe.d_addr.toStringWithPort());
+ }
+ }
+#endif /* HAVE_SSL_CTX_SET_CIPHERSUITES */
+
try {
if (fe.d_ticketKeyFile.empty()) {
handleTicketsKeyRotation(time(nullptr));
projects / pdns / commitdiff