Merge branch 'artem-disable-unused-tls-syntax' into 'main'

Remove unused 'tls' clause options: 'ca-file' and 'hostname'

See merge request isc-projects/bind9!5600

CHANGES

@@ -1,3 +1,6 @@
+5766.	[func]		Unused 'tls' clause options 'ca-file' and 'hostname'
+			were disabled. [GL !5600]
+
 5765.	[bug]		Fix a bug in DoH implementation making 'dig'
 			abort when ALPN negotiation fails. [GL #3022]
 

bin/named/named.conf.rst

@@ -561,11 +561,9 @@ TLS
 ::
 
   tls string {
-  	ca-file quoted_string;
   	cert-file quoted_string;
   	ciphers string;
   	dhparam-file quoted_string;
-  	hostname quoted_string;
   	key-file quoted_string;
   	prefer-server-ciphers boolean;
   	protocols { string; ... };

bin/named/transportconf.c

@@ -71,10 +71,16 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
 				       dns_transport_set_keyfile);
 		parse_transport_option(doh, transport, "cert-file",
 				       dns_transport_set_certfile);
+#if 0
+		/*
+		 * The following two options need to remain unavailable until
+		 * TLS certificate verification gets implemented.
+		 */
 		parse_transport_option(doh, transport, "ca-file",
 				       dns_transport_set_cafile);
 		parse_transport_option(doh, transport, "hostname",
 				       dns_transport_set_hostname);
+#endif
 	}
 
 	return (ISC_R_SUCCESS);
@@ -115,10 +121,16 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
 				       dns_transport_set_keyfile);
 		parse_transport_option(tls, transport, "cert-file",
 				       dns_transport_set_certfile);
+#if 0
+		/*
+		 * The following two options need to remain unavailable until
+		 * TLS certificate verification gets implemented.
+		 */
 		parse_transport_option(tls, transport, "ca-file",
 				       dns_transport_set_cafile);
 		parse_transport_option(tls, transport, "hostname",
 				       dns_transport_set_hostname);
+#endif
 	}
 
 	return (ISC_R_SUCCESS);

bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf

@@ -12,5 +12,4 @@
 # In some cases a "tls" statement may omit key-file and cert-file.
 tls local-tls {
     protocols {TLSv1.2;};
-    hostname "fqdn.example.com";
 };

doc/arm/reference.rst

@@ -293,7 +293,7 @@ The following statements are supported:
         Declares communication channels to get access to ``named`` statistics.
 
     ``tls``
-        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
+        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``dhparam-file``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
 
     ``http``
         Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
@@ -4756,9 +4756,6 @@ The following options can be specified in a ``tls`` statement:
     Path to a file containing the TLS certificate to be used for
     the connection.
 
-  ``ca-file``
-    Path to a file containing trusted TLS certificates.
-
   ``dhparam-file``
     Path to a file containing Diffie-Hellman parameters,
     which is needed to enable the cipher suites depending on the
@@ -4766,9 +4763,6 @@ The following options can be specified in a ``tls`` statement:
     specified is essential for enabling perfect forward secrecy capable
     ciphers in TLSv1.2.
 
-  ``hostname``
-    The hostname associated with the certificate.
-
   ``protocols``
     Allowed versions of the TLS protocol. TLS version 1.2 and higher are
     supported, depending on the cryptographic library in use. Multiple

doc/man/named.conf.5in

@@ -652,11 +652,9 @@ statistics\-channels {
 .nf
 .ft C
 tls string {
-      ca\-file quoted_string;
       cert\-file quoted_string;
       ciphers string;
       dhparam\-file quoted_string;
-      hostname quoted_string;
       key\-file quoted_string;
       prefer\-server\-ciphers boolean;
       protocols { string; ... };

doc/misc/options

@@ -457,11 +457,9 @@ statistics-channels {
 }; // may occur multiple times
 
 tls <string> {
-        ca-file <quoted_string>;
         cert-file <quoted_string>;
         ciphers <string>;
         dhparam-file <quoted_string>;
-        hostname <quoted_string>;
         key-file <quoted_string>;
         prefer-server-ciphers <boolean>;
         protocols { <string>; ... };

doc/misc/options.active

@@ -454,11 +454,9 @@ statistics-channels {
 }; // may occur multiple times
 
 tls <string> {
-        ca-file <quoted_string>;
         cert-file <quoted_string>;
         ciphers <string>;
         dhparam-file <quoted_string>;
-        hostname <quoted_string>;
         key-file <quoted_string>;
         prefer-server-ciphers <boolean>;
         protocols { <string>; ... };

doc/misc/tls.grammar.rst

@@ -1,11 +1,9 @@
 ::
 
   tls <string> {
-  	ca-file <quoted_string>;
   	cert-file <quoted_string>;
   	ciphers <string>;
   	dhparam-file <quoted_string>;
-  	hostname <quoted_string>;
   	key-file <quoted_string>;
   	prefer-server-ciphers <boolean>;
   	protocols { <string>; ... };

lib/isccfg/namedconf.c

@@ -3886,8 +3886,14 @@ static cfg_type_t cfg_type_tlsprotos = { "tls_protocols",
 static cfg_clausedef_t tls_clauses[] = {
 	{ "key-file", &cfg_type_qstring, 0 },
 	{ "cert-file", &cfg_type_qstring, 0 },
+#if 0
+	/*
+	 * The following two options need to remain unavailable until TLS
+	 * certificate verification gets implemented.
+	 */
 	{ "ca-file", &cfg_type_qstring, 0 },
 	{ "hostname", &cfg_type_qstring, 0 },
+#endif
 	{ "dhparam-file", &cfg_type_qstring, 0 },
 	{ "protocols", &cfg_type_tlsprotos, 0 },
 	{ "ciphers", &cfg_type_astring, 0 },