frontend->d_enableTickets = boost::get<bool>((*vars)["sessionTickets"]);
}
+ if (vars->count("preferServerCiphers")) {
+ frontend->d_preferServerCiphers = boost::get<bool>((*vars)["preferServerCiphers"]);
+ }
+
if (vars->count("numberOfStoredSessions")) {
auto value = boost::get<int>((*vars)["numberOfStoredSessions"]);
if (value < 0) {
frontend->d_enableTickets = boost::get<bool>((*vars)["sessionTickets"]);
}
+ if (vars->count("preferServerCiphers")) {
+ frontend->d_preferServerCiphers = boost::get<bool>((*vars)["preferServerCiphers"]);
+ }
+
if (vars->count("numberOfStoredSessions")) {
auto value = boost::get<int>((*vars)["numberOfStoredSessions"]);
if (value < 0) {
* ``ticketsKeysRotationDelay``: int - Set the delay before the TLS tickets key is rotated, in seconds. Default is 43200 (12h).
* ``sessionTickets``: bool - Whether session resumption via session tickets is enabled. Default is true, meaning tickets are enabled.
* ``numberOfStoredSessions``: int - The maximum number of sessions kept in memory at the same time. Default is 20480. Setting this value to 0 disables stored session entirely.
+ * ``preferServerCiphers``: bool - Whether to prefer the order of ciphers set by the server instead of the one set by the client. Default is false, meaning that the order of the client is used.
.. function:: addTLSLocal(address, certFile(s), keyFile(s) [, options])
.. versionchanged:: 1.3.3
``numberOfStoredSessions`` option added.
.. versionchanged:: 1.4.0
- ``ciphersTLS13``, ``minTLSVersion`` and ``ocspResponses`` options added.
+ ``ciphersTLS13``, ``minTLSVersion``, ``ocspResponses`` and ``preferServerCiphers`` options added.
Listen on the specified address and TCP port for incoming DNS over TLS connections, presenting the specified X.509 certificate.
* ``numberOfStoredSessions``: int - The maximum number of sessions kept in memory at the same time. At this time this is only supported by the OpenSSL provider, as stored sessions are not supported with the GnuTLS one. Default is 20480. Setting this value to 0 disables stored session entirely.
* ``ocspResponses``: list - List of files containing OCSP responses, in the same order than the certificates and keys, that will be used to provide OCSP stapling responses.
* ``minTLSVersion``: str - Minimum version of the TLS protocol to support. Possible values are 'tls1.0', 'tls1.1', 'tls1.2' and 'tls1.3'. Default is to require at least TLS 1.0. Note that this value is ignored when the GnuTLS provider is in use, and the ``ciphers`` option should be set accordingly instead. For example, 'NORMAL:!VERS-TLS1.0:!VERS-TLS1.1' will disable TLS 1.0 and 1.1.
+ * ``preferServerCiphers``: bool - Whether to prefer the order of ciphers set by the server instead of the one set by the client. Default is false, meaning that the order of the client is used.
.. function:: setLocal(address[, options])
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_SINGLE_DH_USE |
- SSL_OP_SINGLE_ECDH_USE |
- SSL_OP_CIPHER_SERVER_PREFERENCE;
+ SSL_OP_SINGLE_ECDH_USE;
if (!df.d_enableTickets || df.d_numberOfTicketsKeys == 0) {
sslOptions |= SSL_OP_NO_TICKET;
libssl_set_ticket_key_callback_data(ctx.get(), &df);
}
+ if (df.d_preferServerCiphers) {
+ sslOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+ }
+
SSL_CTX_set_options(ctx.get(), sslOptions);
if (!libssl_set_min_tls_version(ctx, df.d_minTLSVersion)) {
throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(df.d_minTLSVersion) + "' for DoH listener");
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION |
SSL_OP_SINGLE_DH_USE |
- SSL_OP_SINGLE_ECDH_USE |
- SSL_OP_CIPHER_SERVER_PREFERENCE;
+ SSL_OP_SINGLE_ECDH_USE;
registerOpenSSLUser();
libssl_set_ticket_key_callback_data(d_tlsCtx.get(), this);
}
+ if (fe.d_preferServerCiphers) {
+ sslOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
+ }
+
SSL_CTX_set_options(d_tlsCtx.get(), sslOptions);
if (!libssl_set_min_tls_version(d_tlsCtx, fe.d_minTLSVersion)) {
throw std::runtime_error("Failed to set the minimum version to '" + libssl_tls_version_to_string(fe.d_minTLSVersion) + "' for ths TLS context on " + fe.d_addr.toStringWithPort());
size_t d_maxStoredSessions{20480};
uint8_t d_numberOfTicketsKeys{5};
bool d_enableTickets{true};
+ bool d_preferServerCiphers{false};
std::atomic<uint64_t> d_httpconnects; // number of TCP/IP connections established
std::atomic<uint64_t> d_tls10queries; // valid DNS queries received via TLSv1.0
LibsslTLSVersion d_minTLSVersion{LibsslTLSVersion::TLS10};
bool d_enableTickets{true};
+ bool d_preferServerCiphers{false};
private:
std::shared_ptr<TLSCtx> d_ctx{nullptr};