upstream/unbound
1
0
Fork 0
mirror of https://github.com/NLnetLabs/unbound.git synced 2025-12-20 23:00:56 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

- tls-win-cert option that adds the system certificate store for

Browse source 
authenticating DNS-over-TLS connections.  It can be used instead
  of the tls-cert-bundle option, or with it to add certificates.


git-svn-id: file:///svn/unbound/trunk@4698 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards 2018-05-28 14:15:06 +00:00
parent 5a726fb61f
commit 1a0bd1a150
9 changed files with 3095 additions and 3032 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
doc/Changelog
View file

@ -1,6 +1,9 @@
28 May 2018: Wouter 28 May 2018: Wouter
- Fix windows tcp and tls spin on events. - Fix windows tcp and tls spin on events.
- Add routine from getdns to add windows cert store to the SSL_CTX. - Add routine from getdns to add windows cert store to the SSL_CTX.
- tls-win-cert option that adds the system certificate store for
authenticating DNS-over-TLS connections. It can be used instead
of the tls-cert-bundle option, or with it to add certificates.
25 May 2018: Wouter 25 May 2018: Wouter
- For TCP and TLS connections that don't establish, perform address - For TCP and TLS connections that don't establish, perform address

3
doc/example.conf.in
View file

@ -681,6 +681,9 @@ server:
# Certificates used to authenticate connections made upstream. # Certificates used to authenticate connections made upstream.
# tls-cert-bundle: "" # tls-cert-bundle: ""
# Add system certs to the cert bundle, from the Windows Cert Store
# tls-win-cert: no
# Also serve tls on these port numbers (eg. 443, ...), by listing # Also serve tls on these port numbers (eg. 443, ...), by listing
# additional-tls-port: portno for each of the port numbers. # additional-tls-port: portno for each of the port numbers.

10
doc/unbound.conf.5.in
View file

@ -403,6 +403,8 @@ Enabled or disable whether the upstream queries use TLS only for transport.
Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in Default is no. Useful in tunneling scenarios. The TLS contains plain DNS in
TCP wireformat. The other server must support this (see TCP wireformat. The other server must support this (see
\fBtls\-service\-key\fR). \fBtls\-service\-key\fR).
If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
load CA certs, otherwise the connections cannot be authenticated.
.TP .TP
.B ssl\-upstream: \fI<yes or no> .B ssl\-upstream: \fI<yes or no>
Alternate syntax for \fBtls\-upstream\fR. If both are present in the config Alternate syntax for \fBtls\-upstream\fR. If both are present in the config
@ -444,6 +446,12 @@ urls, and also DNS over TLS connections.
.B ssl\-cert\-bundle: \fI<file> .B ssl\-cert\-bundle: \fI<file>
Alternate syntax for \fBtls\-cert\-bundle\fR. Alternate syntax for \fBtls\-cert\-bundle\fR.
.TP .TP
.B tls\-win\-cert: \fI<yes or no>
Add the system certificates to the cert bundle certificates for authentication.
If no cert bundle, it uses only these certificates. Default is no.
On windows this option uses the certificates from the cert store. Use
the tls\-cert\-bundle option on other systems.
.TP
.B additional\-tls\-port: \fI<portnr> .B additional\-tls\-port: \fI<portnr>
List portnumbers as additional\-tls\-port, and when interfaces are defined, List portnumbers as additional\-tls\-port, and when interfaces are defined,
eg. with the @port suffix, as this port number, they provide dns over TLS eg. with the @port suffix, as this port number, they provide dns over TLS
@ -1490,6 +1498,8 @@ The default is no.
.B forward\-tls\-upstream: \fI<yes or no> .B forward\-tls\-upstream: \fI<yes or no>
Enabled or disable whether the queries to this forwarder use TLS for transport. Enabled or disable whether the queries to this forwarder use TLS for transport.
Default is no. Default is no.
If you enable this, also configure a tls\-cert\-bundle or use tls\-win\cert to
load CA certs, otherwise the connections cannot be authenticated.
.TP .TP
.B forward\-ssl\-upstream: \fI<yes or no> .B forward\-ssl\-upstream: \fI<yes or no>
Alternate syntax for \fBforward\-tls\-upstream\fR. Alternate syntax for \fBforward\-tls\-upstream\fR.

2
util/config_file.c
View file

@ -456,6 +456,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
else S_STR("ssl-service-pem:", ssl_service_pem) else S_STR("ssl-service-pem:", ssl_service_pem)
else S_NUMBER_NONZERO("ssl-port:", ssl_port) else S_NUMBER_NONZERO("ssl-port:", ssl_port)
else S_STR("tls-cert-bundle:", tls_cert_bundle) else S_STR("tls-cert-bundle:", tls_cert_bundle)
else S_YNO("tls-win-cert:", tls_win_cert)
else S_STRLIST("additional-tls-port:", additional_tls_port) else S_STRLIST("additional-tls-port:", additional_tls_port)
else S_YNO("interface-automatic:", if_automatic) else S_YNO("interface-automatic:", if_automatic)
else S_YNO("use-systemd:", use_systemd) else S_YNO("use-systemd:", use_systemd)
@ -876,6 +877,7 @@ config_get_option(struct config_file* cfg, const char* opt,
else O_STR(opt, "ssl-service-pem", ssl_service_pem) else O_STR(opt, "ssl-service-pem", ssl_service_pem)
else O_DEC(opt, "ssl-port", ssl_port) else O_DEC(opt, "ssl-port", ssl_port)
else O_STR(opt, "tls-cert-bundle", tls_cert_bundle) else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
else O_YNO(opt, "tls-win-cert", tls_win_cert)
else O_LST(opt, "additional-tls-port", additional_tls_port) else O_LST(opt, "additional-tls-port", additional_tls_port)
else O_YNO(opt, "use-systemd", use_systemd) else O_YNO(opt, "use-systemd", use_systemd)
else O_YNO(opt, "do-daemonize", do_daemonize) else O_YNO(opt, "do-daemonize", do_daemonize)

3959
util/configlexer.c
View file

File diff suppressed because it is too large Load diff

1
util/configlexer.lex
View file

@ -238,6 +238,7 @@ ssl-port{COLON} { YDVAR(1, VAR_SSL_PORT) }
tls-port{COLON} { YDVAR(1, VAR_SSL_PORT) } tls-port{COLON} { YDVAR(1, VAR_SSL_PORT) }
ssl-cert-bundle{COLON} { YDVAR(1, VAR_TLS_CERT_BUNDLE) } ssl-cert-bundle{COLON} { YDVAR(1, VAR_TLS_CERT_BUNDLE) }
tls-cert-bundle{COLON} { YDVAR(1, VAR_TLS_CERT_BUNDLE) } tls-cert-bundle{COLON} { YDVAR(1, VAR_TLS_CERT_BUNDLE) }
tls-win-cert{COLON} { YDVAR(1, VAR_TLS_WIN_CERT) }
additional-ssl-port{COLON} { YDVAR(1, VAR_ADDITIONAL_TLS_PORT) } additional-ssl-port{COLON} { YDVAR(1, VAR_ADDITIONAL_TLS_PORT) }
additional-tls-port{COLON} { YDVAR(1, VAR_ADDITIONAL_TLS_PORT) } additional-tls-port{COLON} { YDVAR(1, VAR_ADDITIONAL_TLS_PORT) }
use-systemd{COLON} { YDVAR(1, VAR_USE_SYSTEMD) } use-systemd{COLON} { YDVAR(1, VAR_USE_SYSTEMD) }

1986
util/configparser.c
View file

File diff suppressed because it is too large Load diff

6
util/configparser.h
View file

@ -283,7 +283,8 @@ extern int yydebug;
VAR_ADDITIONAL_TLS_PORT = 493, VAR_ADDITIONAL_TLS_PORT = 493,
VAR_LOW_RTT = 494, VAR_LOW_RTT = 494,
VAR_LOW_RTT_PERMIL = 495, VAR_LOW_RTT_PERMIL = 495,
VAR_ALLOW_NOTIFY = 496 VAR_ALLOW_NOTIFY = 496,
VAR_TLS_WIN_CERT = 497
}; };
#endif #endif
/* Tokens. */ /* Tokens. */
@ -526,6 +527,7 @@ extern int yydebug;
#define VAR_LOW_RTT 494 #define VAR_LOW_RTT 494
#define VAR_LOW_RTT_PERMIL 495 #define VAR_LOW_RTT_PERMIL 495
#define VAR_ALLOW_NOTIFY 496 #define VAR_ALLOW_NOTIFY 496
#define VAR_TLS_WIN_CERT 497
/* Value type. */ /* Value type. */
#if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@ -536,7 +538,7 @@ union YYSTYPE
char* str; char* str;
#line 540 "util/configparser.h" /* yacc.c:1909 */ #line 542 "util/configparser.h" /* yacc.c:1909 */
}; };
typedef union YYSTYPE YYSTYPE; typedef union YYSTYPE YYSTYPE;

13
util/configparser.y
View file

@ -157,7 +157,7 @@ extern struct config_parser_state* cfg_parser;
%token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM %token VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM VAR_FOR_UPSTREAM
%token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM %token VAR_AUTH_ZONE VAR_ZONEFILE VAR_MASTER VAR_URL VAR_FOR_DOWNSTREAM
%token VAR_FALLBACK_ENABLED VAR_ADDITIONAL_TLS_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL %token VAR_FALLBACK_ENABLED VAR_ADDITIONAL_TLS_PORT VAR_LOW_RTT VAR_LOW_RTT_PERMIL
%token VAR_ALLOW_NOTIFY %token VAR_ALLOW_NOTIFY VAR_TLS_WIN_CERT
%% %%
toplevelvars: /* empty */ | toplevelvars toplevelvar ; toplevelvars: /* empty */ | toplevelvars toplevelvar ;
@ -249,7 +249,7 @@ content_server: server_num_threads | server_verbosity | server_port |
server_ipsecmod_whitelist | server_ipsecmod_strict | server_ipsecmod_whitelist | server_ipsecmod_strict |
server_udp_upstream_without_downstream | server_aggressive_nsec | server_udp_upstream_without_downstream | server_aggressive_nsec |
server_tls_cert_bundle | server_additional_tls_port | server_low_rtt | server_tls_cert_bundle | server_additional_tls_port | server_low_rtt |
server_low_rtt_permil server_low_rtt_permil | server_tls_win_cert
; ;
stubstart: VAR_STUB_ZONE stubstart: VAR_STUB_ZONE
{ {
@ -688,6 +688,15 @@ server_tls_cert_bundle: VAR_TLS_CERT_BUNDLE STRING_ARG
cfg_parser->cfg->tls_cert_bundle = $2; cfg_parser->cfg->tls_cert_bundle = $2;
} }
; ;
server_tls_win_cert: VAR_TLS_WIN_CERT STRING_ARG
{
OUTYY(("P(server_tls_win_cert:%s)\n", $2));
if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
yyerror("expected yes or no.");
else cfg_parser->cfg->tls_win_cert = (strcmp($2, "yes")==0);
free($2);
}
;
server_additional_tls_port: VAR_ADDITIONAL_TLS_PORT STRING_ARG server_additional_tls_port: VAR_ADDITIONAL_TLS_PORT STRING_ARG
{ {
OUTYY(("P(server_additional_tls_port:%s)\n", $2)); OUTYY(("P(server_additional_tls_port:%s)\n", $2));