diff --git a/CHANGES b/CHANGES index 96957be818..ca80b0d14b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5766. [func] Unused 'tls' clause options 'ca-file' and 'hostname' + were disabled. [GL !5600] + 5765. [bug] Fix a bug in DoH implementation making 'dig' abort when ALPN negotiation fails. [GL #3022] diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index e04891ab2a..28a39c45e0 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -561,11 +561,9 @@ TLS :: tls string { - ca-file quoted_string; cert-file quoted_string; ciphers string; dhparam-file quoted_string; - hostname quoted_string; key-file quoted_string; prefer-server-ciphers boolean; protocols { string; ... }; diff --git a/bin/named/transportconf.c b/bin/named/transportconf.c index ea696af73b..618696bb7a 100644 --- a/bin/named/transportconf.c +++ b/bin/named/transportconf.c @@ -71,10 +71,16 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { dns_transport_set_keyfile); parse_transport_option(doh, transport, "cert-file", dns_transport_set_certfile); +#if 0 + /* + * The following two options need to remain unavailable until + * TLS certificate verification gets implemented. + */ parse_transport_option(doh, transport, "ca-file", dns_transport_set_cafile); parse_transport_option(doh, transport, "hostname", dns_transport_set_hostname); +#endif } return (ISC_R_SUCCESS); @@ -115,10 +121,16 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { dns_transport_set_keyfile); parse_transport_option(tls, transport, "cert-file", dns_transport_set_certfile); +#if 0 + /* + * The following two options need to remain unavailable until + * TLS certificate verification gets implemented. + */ parse_transport_option(tls, transport, "ca-file", dns_transport_set_cafile); parse_transport_option(tls, transport, "hostname", dns_transport_set_hostname); +#endif } return (ISC_R_SUCCESS); diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf index 9814074ecc..fff3a5b176 100644 --- a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf +++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf @@ -12,5 +12,4 @@ # In some cases a "tls" statement may omit key-file and cert-file. tls local-tls { protocols {TLSv1.2;}; - hostname "fqdn.example.com"; }; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 2484095813..0562bbe627 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -293,7 +293,7 @@ The following statements are supported: Declares communication channels to get access to ``named`` statistics. ``tls`` - Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``. + Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``dhparam-file``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``. ``http`` Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``. @@ -4756,9 +4756,6 @@ The following options can be specified in a ``tls`` statement: Path to a file containing the TLS certificate to be used for the connection. - ``ca-file`` - Path to a file containing trusted TLS certificates. - ``dhparam-file`` Path to a file containing Diffie-Hellman parameters, which is needed to enable the cipher suites depending on the @@ -4766,9 +4763,6 @@ The following options can be specified in a ``tls`` statement: specified is essential for enabling perfect forward secrecy capable ciphers in TLSv1.2. - ``hostname`` - The hostname associated with the certificate. - ``protocols`` Allowed versions of the TLS protocol. TLS version 1.2 and higher are supported, depending on the cryptographic library in use. Multiple diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 7e129e4bf1..de092a77df 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -652,11 +652,9 @@ statistics\-channels { .nf .ft C tls string { - ca\-file quoted_string; cert\-file quoted_string; ciphers string; dhparam\-file quoted_string; - hostname quoted_string; key\-file quoted_string; prefer\-server\-ciphers boolean; protocols { string; ... }; diff --git a/doc/misc/options b/doc/misc/options index 02b6f7b609..86967657ae 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -457,11 +457,9 @@ statistics-channels { }; // may occur multiple times tls { - ca-file ; cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/doc/misc/options.active b/doc/misc/options.active index 491a025ed4..bd4ceb26ae 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -454,11 +454,9 @@ statistics-channels { }; // may occur multiple times tls { - ca-file ; cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/doc/misc/tls.grammar.rst b/doc/misc/tls.grammar.rst index 98f724a6d8..96780c1155 100644 --- a/doc/misc/tls.grammar.rst +++ b/doc/misc/tls.grammar.rst @@ -1,11 +1,9 @@ :: tls { - ca-file ; cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 4067adf093..4ba4b0a17c 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -3886,8 +3886,14 @@ static cfg_type_t cfg_type_tlsprotos = { "tls_protocols", static cfg_clausedef_t tls_clauses[] = { { "key-file", &cfg_type_qstring, 0 }, { "cert-file", &cfg_type_qstring, 0 }, +#if 0 + /* + * The following two options need to remain unavailable until TLS + * certificate verification gets implemented. + */ { "ca-file", &cfg_type_qstring, 0 }, { "hostname", &cfg_type_qstring, 0 }, +#endif { "dhparam-file", &cfg_type_qstring, 0 }, { "protocols", &cfg_type_tlsprotos, 0 }, { "ciphers", &cfg_type_astring, 0 },