stubby: add support for TLS configuration options

- tls_cipher_list - tls_ciphersuites - tls_min_version - tls_max_version Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
2026-04-30 15:38:40 +01:00 · 2019-05-10 21:16:05 +01:00
parent eec23a91b3
commit 28c328d666
3 changed files with 124 additions and 3 deletions
@@ -38,6 +38,10 @@ generate_config()
    local upstream_recursive_servers_section=0
    local command_line_arguments
    local log_level
+    local tls_cipher_list
+    local tls_ciphersuites
+    local tls_min_version
+    local tls_max_version

    # Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example
    echo "# Autogenerated configuration from uci data" > "$config_file"
@@ -93,6 +97,26 @@ generate_config()
    config_get idle_timeout "global" idle_timeout "10000"
    echo "idle_timeout: $idle_timeout" >> "$config_file"

+    config_get tls_cipher_list "global" tls_cipher_list ""
+    if [ -n "$tls_cipher_list" ]; then
+        echo "tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
+    fi
+
+    config_get tls_ciphersuites "global" tls_ciphersuites ""
+    if [ -n "$tls_ciphersuites" ]; then
+        echo "tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
+    fi
+
+    config_get tls_min_version "global" tls_min_version ""
+    if [ -n "$tls_min_version" ]; then
+        echo "tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
+    fi
+
+    config_get tls_max_version "global" tls_max_version ""
+    if [ -n "$tls_max_version" ]; then
+        echo "tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
+    fi
+
    handle_listen_address_value()
    {
        local value="$1"
@@ -124,20 +148,46 @@ generate_config()
        local tls_auth_name
        local tls_port
        local tls_pubkey_pinset_section=0
+        local tls_cipher_list
+        local tls_ciphersuites
+        local tls_min_version
+        local tls_max_version

        if [ "$upstream_recursive_servers_section" = 0 ]; then
            echo "upstream_recursive_servers:" >> "$config_file"
            upstream_recursive_servers_section=1
        fi
        config_get address "$config" address
-        config_get tls_auth_name "$config" tls_auth_name
-        config_get tls_auth_port "$config" tls_port ""
        echo "  - address_data: $address" >> "$config_file"
+
+        config_get tls_auth_name "$config" tls_auth_name
        echo "    tls_auth_name: \"$tls_auth_name\"" >> "$config_file"
+
+        config_get tls_auth_port "$config" tls_port ""
        if [ -n "$tls_port" ]; then
            echo "    tls_port: $tls_port"  >> "$config_file"
        fi

+        config_get tls_cipher_list "$config" tls_cipher_list ""
+        if [ -n "$tls_cipher_list" ]; then
+            echo "    tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
+        fi
+
+        config_get tls_ciphersuites "$config" tls_ciphersuites ""
+        if [ -n "$tls_ciphersuites" ]; then
+            echo "    tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
+        fi
+
+        config_get tls_min_version "$config" tls_min_version ""
+        if [ -n "$tls_min_version" ]; then
+            echo "    tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
+        fi
+
+        config_get tls_max_version "$config" tls_max_version ""
+        if [ -n "$tls_max_version" ]; then
+            echo "    tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
+        fi
+
        handle_resolver_spki()
        {
            local val="$1"