Skip to content

Resolve #2795, #2796: implement TLS configuration options to make it possible to specify supported TLS versions and implement perfect forward secrecy for DoH and DoT

Artem Boldariev requested to merge artem/tls-protocols-conf into main

This merge request adds the following configuration options to the tls clauses:

  • protocols { TLSv1.2; TLSv1.3; }; to specify supported TLS protocol versions;
  • dhparam-file "<path_to_file>"; to specify Diffie-Hellman parameters;
  • ciphers "<cipher_list>"; to specify OpenSSL ciphers list;
  • prefer-server-ciphers yes|no; to assert server or client ciphers preference;
  • session-tickets yes|no; to explicitly enable or disable stateless TLS session tickets (see RFC5077).

These options allow finer control over TLS protocol features and make it possible to achieve perfect forward secrecy for DNS-over-TLS and DNS-over-HTTPS as well as to disable TLSv1.2 to make it possible to improve compliance with RFC9103 on the platforms where a cryptographic library with TLSv1.3 support is available.

tls local-tls {
    key-file "/home/artem/projects/isc/open/ssl/privkey.pem";
    cert-file "/home/artem/projects/isc/open/ssl/fullchain.pem";
    dhparam-file "/home/artem/projects/isc/open/ssl/dhparam3072.pem";
    ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
    prefer-server-ciphers yes;
    session-tickets no;
};

g1

The options are strongly inspired by the similar options available in NGINX.

Also, the MR adds strict verification of the validity of the tls clauses.

It should be noted that support for most of these options was added into the configuration file in December 2020, but they remain essentially no-op until this merge request gets merged.

Closes #2795 (closed) #2796 (closed)

Edited by Artem Boldariev

Merge request reports