From 78b73d0865ef00062f3bca45cdbc3ca5ccb2ed43 Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Mon, 29 Nov 2021 10:45:35 +0200 Subject: [PATCH 1/2] Disable unused 'tls' clause options: 'ca-file' and 'hostname' This commit disables the unused 'tls' clause options. For these some backing code exists, but their values are not really used anywhere, nor there are sufficient syntax tests for them. These options are only disabled temporarily, until TLS certificate verification gets implemented. --- bin/named/named.conf.rst | 2 -- bin/named/transportconf.c | 12 ++++++++++++ .../system/checkconf/good-dot-doh-tls-nokeycert.conf | 1 - doc/arm/reference.rst | 8 +------- doc/man/named.conf.5in | 2 -- doc/misc/options | 2 -- doc/misc/options.active | 2 -- doc/misc/tls.grammar.rst | 2 -- lib/isccfg/namedconf.c | 6 ++++++ 9 files changed, 19 insertions(+), 18 deletions(-) diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index e04891ab2a..28a39c45e0 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -561,11 +561,9 @@ TLS :: tls string { - ca-file quoted_string; cert-file quoted_string; ciphers string; dhparam-file quoted_string; - hostname quoted_string; key-file quoted_string; prefer-server-ciphers boolean; protocols { string; ... }; diff --git a/bin/named/transportconf.c b/bin/named/transportconf.c index ea696af73b..618696bb7a 100644 --- a/bin/named/transportconf.c +++ b/bin/named/transportconf.c @@ -71,10 +71,16 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { dns_transport_set_keyfile); parse_transport_option(doh, transport, "cert-file", dns_transport_set_certfile); +#if 0 + /* + * The following two options need to remain unavailable until + * TLS certificate verification gets implemented. + */ parse_transport_option(doh, transport, "ca-file", dns_transport_set_cafile); parse_transport_option(doh, transport, "hostname", dns_transport_set_hostname); +#endif } return (ISC_R_SUCCESS); @@ -115,10 +121,16 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { dns_transport_set_keyfile); parse_transport_option(tls, transport, "cert-file", dns_transport_set_certfile); +#if 0 + /* + * The following two options need to remain unavailable until + * TLS certificate verification gets implemented. + */ parse_transport_option(tls, transport, "ca-file", dns_transport_set_cafile); parse_transport_option(tls, transport, "hostname", dns_transport_set_hostname); +#endif } return (ISC_R_SUCCESS); diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf index 9814074ecc..fff3a5b176 100644 --- a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf +++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf @@ -12,5 +12,4 @@ # In some cases a "tls" statement may omit key-file and cert-file. tls local-tls { protocols {TLSv1.2;}; - hostname "fqdn.example.com"; }; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 2484095813..0562bbe627 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -293,7 +293,7 @@ The following statements are supported: Declares communication channels to get access to ``named`` statistics. ``tls`` - Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``. + Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``dhparam-file``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``. ``http`` Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``. @@ -4756,9 +4756,6 @@ The following options can be specified in a ``tls`` statement: Path to a file containing the TLS certificate to be used for the connection. - ``ca-file`` - Path to a file containing trusted TLS certificates. - ``dhparam-file`` Path to a file containing Diffie-Hellman parameters, which is needed to enable the cipher suites depending on the @@ -4766,9 +4763,6 @@ The following options can be specified in a ``tls`` statement: specified is essential for enabling perfect forward secrecy capable ciphers in TLSv1.2. - ``hostname`` - The hostname associated with the certificate. - ``protocols`` Allowed versions of the TLS protocol. TLS version 1.2 and higher are supported, depending on the cryptographic library in use. Multiple diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 7e129e4bf1..de092a77df 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -652,11 +652,9 @@ statistics\-channels { .nf .ft C tls string { - ca\-file quoted_string; cert\-file quoted_string; ciphers string; dhparam\-file quoted_string; - hostname quoted_string; key\-file quoted_string; prefer\-server\-ciphers boolean; protocols { string; ... }; diff --git a/doc/misc/options b/doc/misc/options index 02b6f7b609..86967657ae 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -457,11 +457,9 @@ statistics-channels { }; // may occur multiple times tls { - ca-file ; cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/doc/misc/options.active b/doc/misc/options.active index 491a025ed4..bd4ceb26ae 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -454,11 +454,9 @@ statistics-channels { }; // may occur multiple times tls { - ca-file ; cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/doc/misc/tls.grammar.rst b/doc/misc/tls.grammar.rst index 98f724a6d8..96780c1155 100644 --- a/doc/misc/tls.grammar.rst +++ b/doc/misc/tls.grammar.rst @@ -1,11 +1,9 @@ :: tls { - ca-file ; cert-file ; ciphers ; dhparam-file ; - hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 4067adf093..4ba4b0a17c 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -3886,8 +3886,14 @@ static cfg_type_t cfg_type_tlsprotos = { "tls_protocols", static cfg_clausedef_t tls_clauses[] = { { "key-file", &cfg_type_qstring, 0 }, { "cert-file", &cfg_type_qstring, 0 }, +#if 0 + /* + * The following two options need to remain unavailable until TLS + * certificate verification gets implemented. + */ { "ca-file", &cfg_type_qstring, 0 }, { "hostname", &cfg_type_qstring, 0 }, +#endif { "dhparam-file", &cfg_type_qstring, 0 }, { "protocols", &cfg_type_tlsprotos, 0 }, { "ciphers", &cfg_type_astring, 0 }, From afd53256a543bfcf3e957fe2c78fdb02cc3967bf Mon Sep 17 00:00:00 2001 From: Artem Boldariev Date: Mon, 29 Nov 2021 11:02:32 +0200 Subject: [PATCH 2/2] Modify CHANGES [GL !5600] Mention that unused 'tls' clause options 'ca-file' and 'hostname' were removed. --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 96957be818..ca80b0d14b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5766. [func] Unused 'tls' clause options 'ca-file' and 'hostname' + were disabled. [GL !5600] + 5765. [bug] Fix a bug in DoH implementation making 'dig' abort when ALPN negotiation fails. [GL #3022]