- Fixes for the patch, and man page entry.

git-svn-id: file:///svn/unbound/trunk@5055 be551aaa-1e26-0410-a405-d3ace91eadb9

daemon/unbound.c

@@ -433,13 +433,13 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode,
 			fatal_exit("could not set up listen SSL_CTX");
 		if(cfg->tls_ciphers && cfg->tls_ciphers[0]) {
 			if (!SSL_CTX_set_cipher_list(daemon->listen_sslctx, cfg->tls_ciphers)) {
-				fatal_exit("faild to set tls-cipher %s",cfg->tls_ciphers);
+				fatal_exit("failed to set tls-cipher %s", cfg->tls_ciphers);
 			}
 		}
 #if OPENSSL_VERSION_NUMBER >= 0x1010101
 		if(cfg->tls_ciphersuites && cfg->tls_ciphersuites[0]) {
 			if (!SSL_CTX_set_ciphersuites(daemon->listen_sslctx, cfg->tls_ciphersuites)) {
-				fatal_exit("faild to set tls-ciphersuites %s",cfg->tls_ciphersuites);
+				fatal_exit("failed to set tls-ciphersuites %s", cfg->tls_ciphersuites);
 			}
 		}
 #endif

doc/Changelog

@@ -1,6 +1,7 @@
 23 January 2018: Wouter
 	- Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites
 	  options for unbound.conf.
+	- Fixes for the patch, and man page entry.
 
 22 January 2018: Wouter
 	- Fix space calculation for tcp req buffer size.

doc/unbound.conf.5.in

@@ -504,6 +504,14 @@ List portnumbers as tls\-additional\-port, and when interfaces are defined,
 eg. with the @port suffix, as this port number, they provide dns over TLS
 service.  Can list multiple, each on a new statement.
 .TP
+.B tls\-ciphers: \fI<string with cipher list>
+Set the list of ciphers to allow when serving TLS.  Use "" for defaults,
+and that is the default.
+.TP
+.B tls\-ciphersuites: \fI<string with ciphersuites list>
+Set the list of ciphersuites to allow when serving TLS.  This is for newer
+TLS 1.3 connections.  Use "" for defaults, and that is the default.
+.TP
 .B use\-systemd: \fI<yes or no>
 Enable or disable systemd socket activation.
 Default is no.

util/config_file.c

@@ -487,8 +487,8 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STRLIST("additional-tls-port:", tls_additional_port)
 	else S_STRLIST("tls-additional-ports:", tls_additional_port)
 	else S_STRLIST("tls-additional-port:", tls_additional_port)
-	else S_STR("tls_ciphers:", tls_ciphers)
-	else S_STR("tls_ciphersuites:", tls_ciphersuites)
+	else S_STR("tls-ciphers:", tls_ciphers)
+	else S_STR("tls-ciphersuites:", tls_ciphersuites)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
@@ -1362,6 +1362,8 @@ config_delete(struct config_file* cfg)
 	free(cfg->ssl_service_pem);
 	free(cfg->tls_cert_bundle);
 	config_delstrlist(cfg->tls_additional_port);
+	free(cfg->tls_ciphers);
+	free(cfg->tls_ciphersuites);
 	free(cfg->log_identity);
 	config_del_strarray(cfg->ifs, cfg->num_ifs);
 	config_del_strarray(cfg->out_ifs, cfg->num_out_ifs);

util/config_file.h

@@ -120,9 +120,9 @@ struct config_file {
 	int tls_win_cert;
 	/** additional tls ports */
 	struct config_strlist* tls_additional_port;
-	/** TLS chiper **/
+	/** TLS ciphers */
 	char* tls_ciphers;
-	/** TLS chipersuites (TLSv1.3) **/
+	/** TLS chipersuites (TLSv1.3) */
 	char* tls_ciphersuites;
 
 	/** outgoing port range number of ports (per thread) */