diff --git a/bin/named/named.conf.rst b/bin/named/named.conf.rst index 9b61c12f3f..2f2de71e83 100644 --- a/bin/named/named.conf.rst +++ b/bin/named/named.conf.rst @@ -560,9 +560,11 @@ TLS :: tls string { + ca-file quoted_string; cert-file quoted_string; ciphers string; dhparam-file quoted_string; + hostname quoted_string; key-file quoted_string; prefer-server-ciphers boolean; protocols { string; ... }; diff --git a/bin/named/transportconf.c b/bin/named/transportconf.c index 54c6196242..a0417f76aa 100644 --- a/bin/named/transportconf.c +++ b/bin/named/transportconf.c @@ -122,16 +122,10 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { parse_transport_bool_option( doh, transport, "prefer-server-ciphers", dns_transport_set_prefer_server_ciphers) -#if 0 - /* - * The following two options need to remain unavailable until - * TLS certificate verification gets implemented. - */ - parse_transport_option(doh, transport, "ca-file", - dns_transport_set_cafile); + parse_transport_option(doh, transport, "ca-file", + dns_transport_set_cafile); parse_transport_option(doh, transport, "hostname", dns_transport_set_hostname); -#endif } return (ISC_R_SUCCESS); @@ -180,16 +174,10 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) { parse_transport_bool_option( tls, transport, "prefer-server-ciphers", dns_transport_set_prefer_server_ciphers) -#if 0 - /* - * The following two options need to remain unavailable until - * TLS certificate verification gets implemented. - */ - parse_transport_option(tls, transport, "ca-file", - dns_transport_set_cafile); + parse_transport_option(tls, transport, "ca-file", + dns_transport_set_cafile); parse_transport_option(tls, transport, "hostname", dns_transport_set_hostname); -#endif } return (ISC_R_SUCCESS); diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf index 5bff3e08ba..340f620ac5 100644 --- a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf +++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf @@ -14,4 +14,5 @@ # In some cases a "tls" statement may omit key-file and cert-file. tls local-tls { protocols {TLSv1.2;}; + hostname "fqdn.example.com"; }; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 8179d3a368..8a6c7ee67c 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -294,7 +294,7 @@ The following statements are supported: Declares communication channels to get access to :iscman:`named` statistics. ``tls`` - Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``dhparam-file``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``. + Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``. ``http`` Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``. @@ -4803,6 +4803,9 @@ The following options can be specified in a ``tls`` statement: Path to a file containing the TLS certificate to be used for the connection. + ``ca-file`` + Path to a file containing trusted TLS certificates. + ``dhparam-file`` Path to a file containing Diffie-Hellman parameters, which is needed to enable the cipher suites depending on the @@ -4810,6 +4813,9 @@ The following options can be specified in a ``tls`` statement: specified is essential for enabling perfect forward secrecy capable ciphers in TLSv1.2. + ``hostname`` + The hostname associated with the certificate. + ``protocols`` Allowed versions of the TLS protocol. TLS version 1.2 and higher are supported, depending on the cryptographic library in use. Multiple diff --git a/doc/man/named.conf.5in b/doc/man/named.conf.5in index 08ed18584e..406cdfa5c2 100644 --- a/doc/man/named.conf.5in +++ b/doc/man/named.conf.5in @@ -634,9 +634,11 @@ statistics\-channels { .nf .ft C tls string { + ca\-file quoted_string; cert\-file quoted_string; ciphers string; dhparam\-file quoted_string; + hostname quoted_string; key\-file quoted_string; prefer\-server\-ciphers boolean; protocols { string; ... }; diff --git a/doc/misc/options b/doc/misc/options index 673cd3b791..eb86067902 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -449,9 +449,11 @@ statistics-channels { }; // may occur multiple times tls { + ca-file ; cert-file ; ciphers ; dhparam-file ; + hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/doc/misc/options.active b/doc/misc/options.active index f95a901876..2d832b57d2 100644 --- a/doc/misc/options.active +++ b/doc/misc/options.active @@ -445,9 +445,11 @@ statistics-channels { }; // may occur multiple times tls { + ca-file ; cert-file ; ciphers ; dhparam-file ; + hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/doc/misc/tls.grammar.rst b/doc/misc/tls.grammar.rst index 8e572e15ec..fec9c738cc 100644 --- a/doc/misc/tls.grammar.rst +++ b/doc/misc/tls.grammar.rst @@ -12,9 +12,11 @@ :: tls { + ca-file ; cert-file ; ciphers ; dhparam-file ; + hostname ; key-file ; prefer-server-ciphers ; protocols { ; ... }; diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 203e066926..14499fbdea 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -3936,14 +3936,8 @@ static cfg_type_t cfg_type_tlsprotos = { "tls_protocols", static cfg_clausedef_t tls_clauses[] = { { "key-file", &cfg_type_qstring, 0 }, { "cert-file", &cfg_type_qstring, 0 }, -#if 0 - /* - * The following two options need to remain unavailable until TLS - * certificate verification gets implemented. - */ { "ca-file", &cfg_type_qstring, 0 }, { "hostname", &cfg_type_qstring, 0 }, -#endif { "dhparam-file", &cfg_type_qstring, 0 }, { "protocols", &cfg_type_tlsprotos, 0 }, { "ciphers", &cfg_type_astring, 0 },