XoT: add support client-side TLS parameters for incoming XFRs, add 'tls' name configuration validation on secondaries
This merge request adds support for client-side TLS parameters to XoT.
Prior to this commit all client-side TLS contexts were using default parameters only, ignoring the options from the BIND's configuration file, even when a valid 'tls' configuration was specified, like in:
tls tls-v1.2-pfs {
protocols { TLSv1.2; };
ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
prefer-server-ciphers no;
};
zone "example" {
type secondary;
primaries { 10.53.0.1 tls tls-v1.2-pfs; }; // only "ephemeral" were truly supported here before
file "example.db";
allow-transfer { any; };
};Currently, the following tls parameters are supported:
- protocols;
- ciphers;
- prefer-server-ciphers.
Also, this merge request ensures that the tls name specified in the 'primaries'
clause of a zone statement is a valid one (defined).
Prior to that an invalid configuration would be silently accepted, leading to failures earlier:
zone "example" {
type secondary;
primaries { 10.53.0.1 tls an-undefined-tls-configuration; };
file "example.db";
allow-transfer { any; };
};Additionally to that, it fixes a logical mistake in the code, which will lead to on abort() on systems with ancient OpenSSL versions, like Red Hat Linux 7 (on startup or zone transfer via XoT, the latter was possible only in this branch).
Partially addresses #2450
In a way, it is also a substitute for a #2992, which has no chance to make it into the 9.18.