mirror
/
openwrt-packages
mirror of https://git.openwrt.org/feed/packages.git
1
0
Fork 0
Code Releases Activity

stubby: add support for TLS configuration options 

- tls_cipher_list
  - tls_ciphersuites
  - tls_min_version
  - tls_max_version

Signed-off-by: Jonathan G. Underwood <jonathan.underwood@gmail.com>
This commit is contained in:
Jonathan G. Underwood 2019-05-10 21:16:05 +01:00
parent b0cc47b143
commit 1a0df27ed2
3 changed files with 124 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
net/stubby/files/README.md
View File

@ -372,7 +372,33 @@ The possible levels are:
This option specifies additional command line arguments for
stubby daemon. By default, this is an empty string.
#### `option tls_cipher_list`
If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
with the `tls_ciphersuites` option. This option can also be given per upstream
resolver. By default, this option is not set.
#### `option tls_ciphersuites`
If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
version 1.1.1 or greater is required for this option. This option can also be
given per upstream resolver. By default, this option is not set.
#### `option tls_min_version`
If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. This option can also be given per upstream resolver. By
default, this option is not set.
#### `option tls_max_version`
If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. This option can also be given per upstream resolver. By
default, this option is not set.
### `resolver` section options
#### `option address`
@ -390,6 +416,31 @@ the supplied server certificate
This option specifies the TLS port for the upstream resolver. If not specified,
this defaults to 853.
#### `option tls_cipher_list`
If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
with the `tls_ciphersuites` option. By default, this option is not set. If set,
this overrides the global value.
#### `option tls_ciphersuites`
If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
version 1.1.1 or greater is required for this option. By default, this option is
not set. If set, this overrides the global value.
#### `option tls_min_version`
If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. By default, this option is not set. If set, this
overrides the global value.
#### `option tls_max_version`
If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
1.1.1 or greater only. By default, this options is not set. If set, this
overrides the global value.
#### `list spki`
This list specifies the SPKI pinset which is verified against the keys in the

20
net/stubby/files/stubby.conf
View File

@ -19,6 +19,10 @@ config stubby 'global'
list listen_address '0::1@5453'
# option log_level '7'
# option command_line_arguments ''
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'
# Upstream resolvers are specified using 'resolver' sections.
config resolver
@ -26,21 +30,37 @@ config resolver
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'
config resolver
option address '2606:4700:4700::1001'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'
config resolver
option address '1.1.1.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'
config resolver
option address '1.0.0.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
# option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
# option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
# option tls_min_version '1.2'
# option tls_max_version '1.3'

54
net/stubby/files/stubby.init
View File

@ -38,6 +38,10 @@ generate_config()
local upstream_recursive_servers_section=0
local command_line_arguments
local log_level
local tls_cipher_list
local tls_ciphersuites
local tls_min_version
local tls_max_version
# Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example
echo "# Autogenerated configuration from uci data" > "$config_file"
@ -93,6 +97,26 @@ generate_config()
config_get idle_timeout "global" idle_timeout "10000"
echo "idle_timeout: $idle_timeout" >> "$config_file"
config_get tls_cipher_list "global" tls_cipher_list ""
if [ -n "$tls_cipher_list" ]; then
echo "tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
fi
config_get tls_ciphersuites "global" tls_ciphersuites ""
if [ -n "$tls_ciphersuites" ]; then
echo "tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
fi
config_get tls_min_version "global" tls_min_version ""
if [ -n "$tls_min_version" ]; then
echo "tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
fi
config_get tls_max_version "global" tls_max_version ""
if [ -n "$tls_max_version" ]; then
echo "tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
fi
handle_listen_address_value()
{
local value="$1"
@ -124,20 +148,46 @@ generate_config()
local tls_auth_name
local tls_port
local tls_pubkey_pinset_section=0
local tls_cipher_list
local tls_ciphersuites
local tls_min_version
local tls_max_version
if [ "$upstream_recursive_servers_section" = 0 ]; then
echo "upstream_recursive_servers:" >> "$config_file"
upstream_recursive_servers_section=1
fi
config_get address "$config" address
config_get tls_auth_name "$config" tls_auth_name
config_get tls_auth_port "$config" tls_port ""
echo " - address_data: $address" >> "$config_file"
config_get tls_auth_name "$config" tls_auth_name
echo " tls_auth_name: \"$tls_auth_name\"" >> "$config_file"
config_get tls_auth_port "$config" tls_port ""
if [ -n "$tls_port" ]; then
echo " tls_port: $tls_port" >> "$config_file"
fi
config_get tls_cipher_list "$config" tls_cipher_list ""
if [ -n "$tls_cipher_list" ]; then
echo " tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
fi
config_get tls_ciphersuites "$config" tls_ciphersuites ""
if [ -n "$tls_ciphersuites" ]; then
echo " tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
fi
config_get tls_min_version "$config" tls_min_version ""
if [ -n "$tls_min_version" ]; then
echo " tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
fi
config_get tls_max_version "$config" tls_max_version ""
if [ -n "$tls_max_version" ]; then
echo " tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
fi
handle_resolver_spki()
{
local val="$1"