cubixle/packages
1
0
Fork 0
mirror of https://github.com/novatiq/packages.git synced 2026-04-30 15:38:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

stubby: add support for TLS configuration options

Browse Source 
- tls_cipher_list
  - tls_ciphersuites
  - tls_min_version
  - tls_max_version

Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
This commit is contained in:
Jonathan G. Underwood
2019-05-10 21:16:05 +01:00
parent b0cc47b143
commit 1a0df27ed2
3 changed files with 124 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
net/stubby/files/README.md
+52 -1
View File
@@ -372,7 +372,33 @@ The possible levels are:
This option specifies additional command line arguments for
stubby daemon. By default, this is an empty string.
#### `option tls_cipher_list`
If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
with the `tls_ciphersuites` option. This option can also be given per upstream
resolver. By default, this option is not set.
#### `option tls_ciphersuites`
If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
version 1.1.1 or greater is required for this option. This option can also be
given per upstream resolver. By default, this option is not set.
#### `option tls_min_version`
If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. This option can also be given per upstream resolver. By
default, this option is not set.
#### `option tls_max_version`
If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. This option can also be given per upstream resolver. By
default, this option is not set.
### `resolver` section options
#### `option address`
@@ -390,6 +416,31 @@ the supplied server certificate
This option specifies the TLS port for the upstream resolver. If not specified,
this defaults to 853.
#### `option tls_cipher_list`
If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
with the `tls_ciphersuites` option. By default, this option is not set. If set,
this overrides the global value.
#### `option tls_ciphersuites`
If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
version 1.1.1 or greater is required for this option. By default, this option is
not set. If set, this overrides the global value.
#### `option tls_min_version`
If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. By default, this option is not set. If set, this
overrides the global value.
#### `option tls_max_version`
If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. By default, this options is not set. If set, this
overrides the global value.
#### `list spki`
This list specifies the SPKI pinset which is verified against the keys in the