XoT: add support client-side TLS parameters for incoming XFRs, add 'tls' name configuration validation on secondaries (!5602) · Merge requests · ISC Open Source Projects / BIND

Artem Boldariev requested to merge artem-xot-tls-protocols-ciphers into main Nov 30, 2021

This merge request adds support for client-side TLS parameters to XoT.

Prior to this commit all client-side TLS contexts were using default parameters only, ignoring the options from the BIND's configuration file, even when a valid 'tls' configuration was specified, like in:

tls tls-v1.2-pfs {
	protocols { TLSv1.2; };
	ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
	prefer-server-ciphers no;
};

zone "example" {
	type secondary;
	primaries { 10.53.0.1 tls tls-v1.2-pfs; }; // only "ephemeral" were truly supported here before
	file "example.db";
	allow-transfer { any; };
};

Currently, the following tls parameters are supported:

protocols;
ciphers;
prefer-server-ciphers.

Also, this merge request ensures that the tls name specified in the 'primaries' clause of a zone statement is a valid one (defined).

Prior to that an invalid configuration would be silently accepted, leading to failures earlier:

zone "example" {
	type secondary;
	primaries { 10.53.0.1 tls an-undefined-tls-configuration; };
	file "example.db";
	allow-transfer { any; };
};

Additionally to that, it fixes a logical mistake in the code, which will lead to on abort() on systems with ancient OpenSSL versions, like Red Hat Linux 7 (on startup or zone transfer via XoT, the latter was possible only in this branch).

Partially addresses #2450

In a way, it is also a substitute for a #2992, which has no chance to make it into the 9.18.

Edited Dec 01, 2021 by Artem Boldariev

XoT: add support client-side TLS parameters for incoming XFRs, add 'tls' name configuration validation on secondaries

Merge request reports