From 1a0df27ed2b3c9564b702808bf80c3d07bc12275 Mon Sep 17 00:00:00 2001 From: "Jonathan G. Underwood" Date: Fri, 10 May 2019 21:16:05 +0100 Subject: [PATCH] stubby: add support for TLS configuration options - tls_cipher_list - tls_ciphersuites - tls_min_version - tls_max_version Signed-off-by: Jonathan G. Underwood --- net/stubby/files/README.md | 53 ++++++++++++++++++++++++++++++++++- net/stubby/files/stubby.conf | 20 +++++++++++++ net/stubby/files/stubby.init | 54 ++++++++++++++++++++++++++++++++++-- 3 files changed, 124 insertions(+), 3 deletions(-) diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 1a1f2a2a3..bc5344cd8 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -372,7 +372,33 @@ The possible levels are: This option specifies additional command line arguments for stubby daemon. By default, this is an empty string. - + +#### `option tls_cipher_list` + +If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL +1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set +with the `tls_ciphersuites` option. This option can also be given per upstream +resolver. By default, this option is not set. + +#### `option tls_ciphersuites` + +If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL +version 1.1.1 or greater is required for this option. This option can also be +given per upstream resolver. By default, this option is not set. + +#### `option tls_min_version` + +If set, this specifies the minimum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. This option can also be given per upstream resolver. By +default, this option is not set. + +#### `option tls_max_version` + +If set, this specifies the maximum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. This option can also be given per upstream resolver. By +default, this option is not set. + + ### `resolver` section options #### `option address` @@ -390,6 +416,31 @@ the supplied server certificate This option specifies the TLS port for the upstream resolver. If not specified, this defaults to 853. +#### `option tls_cipher_list` + +If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL +1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set +with the `tls_ciphersuites` option. By default, this option is not set. If set, +this overrides the global value. + +#### `option tls_ciphersuites` + +If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL +version 1.1.1 or greater is required for this option. By default, this option is +not set. If set, this overrides the global value. + +#### `option tls_min_version` + +If set, this specifies the minimum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. By default, this option is not set. If set, this +overrides the global value. + +#### `option tls_max_version` + +If set, this specifies the maximum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. By default, this options is not set. If set, this +overrides the global value. + #### `list spki` This list specifies the SPKI pinset which is verified against the keys in the diff --git a/net/stubby/files/stubby.conf b/net/stubby/files/stubby.conf index 69240772b..f722a4304 100644 --- a/net/stubby/files/stubby.conf +++ b/net/stubby/files/stubby.conf @@ -19,6 +19,10 @@ config stubby 'global' list listen_address '0::1@5453' # option log_level '7' # option command_line_arguments '' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' # Upstream resolvers are specified using 'resolver' sections. config resolver @@ -26,21 +30,37 @@ config resolver option tls_auth_name 'cloudflare-dns.com' # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '2606:4700:4700::1001' option tls_auth_name 'cloudflare-dns.com' # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '1.1.1.1' option tls_auth_name 'cloudflare-dns.com' # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '1.0.0.1' option tls_auth_name 'cloudflare-dns.com' # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init index 3bd2e6564..cf051a140 100755 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -38,6 +38,10 @@ generate_config() local upstream_recursive_servers_section=0 local command_line_arguments local log_level + local tls_cipher_list + local tls_ciphersuites + local tls_min_version + local tls_max_version # Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example echo "# Autogenerated configuration from uci data" > "$config_file" @@ -93,6 +97,26 @@ generate_config() config_get idle_timeout "global" idle_timeout "10000" echo "idle_timeout: $idle_timeout" >> "$config_file" + config_get tls_cipher_list "global" tls_cipher_list "" + if [ -n "$tls_cipher_list" ]; then + echo "tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file" + fi + + config_get tls_ciphersuites "global" tls_ciphersuites "" + if [ -n "$tls_ciphersuites" ]; then + echo "tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file" + fi + + config_get tls_min_version "global" tls_min_version "" + if [ -n "$tls_min_version" ]; then + echo "tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file" + fi + + config_get tls_max_version "global" tls_max_version "" + if [ -n "$tls_max_version" ]; then + echo "tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file" + fi + handle_listen_address_value() { local value="$1" @@ -124,20 +148,46 @@ generate_config() local tls_auth_name local tls_port local tls_pubkey_pinset_section=0 + local tls_cipher_list + local tls_ciphersuites + local tls_min_version + local tls_max_version if [ "$upstream_recursive_servers_section" = 0 ]; then echo "upstream_recursive_servers:" >> "$config_file" upstream_recursive_servers_section=1 fi config_get address "$config" address - config_get tls_auth_name "$config" tls_auth_name - config_get tls_auth_port "$config" tls_port "" echo " - address_data: $address" >> "$config_file" + + config_get tls_auth_name "$config" tls_auth_name echo " tls_auth_name: \"$tls_auth_name\"" >> "$config_file" + + config_get tls_auth_port "$config" tls_port "" if [ -n "$tls_port" ]; then echo " tls_port: $tls_port" >> "$config_file" fi + config_get tls_cipher_list "$config" tls_cipher_list "" + if [ -n "$tls_cipher_list" ]; then + echo " tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file" + fi + + config_get tls_ciphersuites "$config" tls_ciphersuites "" + if [ -n "$tls_ciphersuites" ]; then + echo " tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file" + fi + + config_get tls_min_version "$config" tls_min_version "" + if [ -n "$tls_min_version" ]; then + echo " tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file" + fi + + config_get tls_max_version "$config" tls_max_version "" + if [ -n "$tls_max_version" ]; then + echo " tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file" + fi + handle_resolver_spki() { local val="$1"