diff --git a/config.h.in b/config.h.in index 59fa60745..5ffb7c43c 100644 --- a/config.h.in +++ b/config.h.in @@ -1136,6 +1136,9 @@ #endif +/* Define to 1 to prefer TLS crypto settings from the system. */ +#undef USE_SYSTEM_TLS + /* Define this to enable server TCP Fast Open. */ #undef USE_TCP_FASTOPEN diff --git a/configure b/configure index b5ca5e4a7..3e4e92200 100755 --- a/configure +++ b/configure @@ -669,6 +669,7 @@ SOURCEFILE SOURCEDETERMINE IPSET_OBJ IPSET_SRC +SYSTEM_TLS_DEFAULT IPSECMOD_HEADER IPSECMOD_OBJ CACHEDB_OBJ @@ -936,6 +937,7 @@ enable_dnscrypt with_libsodium enable_cachedb enable_ipsecmod +enable_system_tls enable_ipset with_libmnl enable_explicit_port_randomisation @@ -1641,6 +1643,8 @@ Optional Features: storage --enable-ipsecmod Enable ipsecmod module that facilitates opportunistic IPsec + --enable-system-tls Enable preference of system configured TLS socket + options --enable-ipset enable ipset module --disable-explicit-port-randomisation disable explicit source port randomisation and rely @@ -25102,6 +25106,26 @@ printf "%s\n" "#define USE_IPSECMOD 1" >>confdefs.h ;; esac +# check for system TLS preference if requested +# Check whether --enable-system-tls was given. +if test ${enable_system_tls+y} +then : + enableval=$enable_system_tls; +fi + +case "$enable_system_tls" in + yes) + +printf "%s\n" "#define USE_SYSTEM_TLS 1" >>confdefs.h + + SYSTEM_TLS_DEFAULT="yes" + ;; + no|*) + SYSTEM_TLS_DEFAULT="no" + ;; +esac + + # check for ipset if requested # Check whether --enable-ipset was given. if test ${enable_ipset+y} diff --git a/configure.ac b/configure.ac index 996240448..7317aad60 100644 --- a/configure.ac +++ b/configure.ac @@ -2085,11 +2085,13 @@ AC_ARG_ENABLE(system-tls, AS_HELP_STRING([--enable-system-tls],[Enable preferenc case "$enable_system_tls" in yes) AC_DEFINE([USE_SYSTEM_TLS], [1], [Define to 1 to prefer TLS crypto settings from the system.]) + SYSTEM_TLS_DEFAULT="yes" ;; no|*) - # nothing + SYSTEM_TLS_DEFAULT="no" ;; esac +AC_SUBST([SYSTEM_TLS_DEFAULT]) # check for ipset if requested AC_ARG_ENABLE(ipset, AS_HELP_STRING([--enable-ipset],[enable ipset module])) diff --git a/doc/Changelog b/doc/Changelog index 5e5009a15..fdfefb32a 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,8 @@ +9 February 2026: Wouter + - Merge #1401: Add a new build-time option for system TLS. + The --enable-system-tls flag enables the + tls-use-system-policy-versions setting by default. + 6 February 2026: Yorgos - Fix #1389: [FR] replacement with ECC-GOST12 according to RFC9558. Patch contributed by Igor V. Ruzanov, available in diff --git a/doc/example.conf.in b/doc/example.conf.in index c9a2c6300..d5499b356 100644 --- a/doc/example.conf.in +++ b/doc/example.conf.in @@ -971,8 +971,8 @@ server: # Allow general-purpose version-flexible TLS server configuration that # may be further restricted by the system's policy. # Use only if you want to support legacy TLS client connections. - # Default is no and Unbound will only use the latest available TLS - # version. + # Default is a compilation choice. + # With 'no' Unbound will only use the latest available TLS version. # Changing the value requires a reload. # tls-use-system-policy-versions: no diff --git a/doc/unbound.conf.rst b/doc/unbound.conf.rst index 953ed04a3..885bd8deb 100644 --- a/doc/unbound.conf.rst +++ b/doc/unbound.conf.rst @@ -1178,19 +1178,22 @@ These options are part of the ``server:`` section. @@UAHL@unbound.conf@tls-use-system-policy-versions@@: ** - Enable or disable general-puspose version-flexible TLS server configuration + Enable or disable general-purpose version-flexible TLS server configuration when serving TLS. This will allow the whole list of available TLS versions provided by the crypto library, which may have been further restricted by the system's crypto policy. - By default Unbound only uses the latest available TLS version. + If disabled Unbound only uses the latest available TLS version. + + The default depends on a compilation choice, it is set + at @SYSTEM_TLS_DEFAULT@ . .. caution:: Use only if you want to support legacy TLS client connections. .. note:: Changing the value requires a reload. - Default: no + Default: @SYSTEM_TLS_DEFAULT@ @@UAHL@unbound.conf@pad-responses@@: **