diff --git a/daemon/unbound.c b/daemon/unbound.c index d5a591e0b..193bb1231 100644 --- a/daemon/unbound.c +++ b/daemon/unbound.c @@ -433,13 +433,13 @@ perform_setup(struct daemon* daemon, struct config_file* cfg, int debug_mode, fatal_exit("could not set up listen SSL_CTX"); if(cfg->tls_ciphers && cfg->tls_ciphers[0]) { if (!SSL_CTX_set_cipher_list(daemon->listen_sslctx, cfg->tls_ciphers)) { - fatal_exit("faild to set tls-cipher %s",cfg->tls_ciphers); + fatal_exit("failed to set tls-cipher %s", cfg->tls_ciphers); } } #if OPENSSL_VERSION_NUMBER >= 0x1010101 if(cfg->tls_ciphersuites && cfg->tls_ciphersuites[0]) { if (!SSL_CTX_set_ciphersuites(daemon->listen_sslctx, cfg->tls_ciphersuites)) { - fatal_exit("faild to set tls-ciphersuites %s",cfg->tls_ciphersuites); + fatal_exit("failed to set tls-ciphersuites %s", cfg->tls_ciphersuites); } } #endif diff --git a/doc/Changelog b/doc/Changelog index d07861035..7f2b6dc95 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,6 +1,7 @@ 23 January 2018: Wouter - Patch from Manabu Sonoda with tls-ciphers and tls-ciphersuites options for unbound.conf. + - Fixes for the patch, and man page entry. 22 January 2018: Wouter - Fix space calculation for tcp req buffer size. diff --git a/doc/unbound.conf.5.in b/doc/unbound.conf.5.in index 1ff4c2de2..d23292725 100644 --- a/doc/unbound.conf.5.in +++ b/doc/unbound.conf.5.in @@ -504,6 +504,14 @@ List portnumbers as tls\-additional\-port, and when interfaces are defined, eg. with the @port suffix, as this port number, they provide dns over TLS service. Can list multiple, each on a new statement. .TP +.B tls\-ciphers: \fI +Set the list of ciphers to allow when serving TLS. Use "" for defaults, +and that is the default. +.TP +.B tls\-ciphersuites: \fI +Set the list of ciphersuites to allow when serving TLS. This is for newer +TLS 1.3 connections. Use "" for defaults, and that is the default. +.TP .B use\-systemd: \fI Enable or disable systemd socket activation. Default is no. diff --git a/util/config_file.c b/util/config_file.c index e49bc8f00..30d537273 100644 --- a/util/config_file.c +++ b/util/config_file.c @@ -487,8 +487,8 @@ int config_set_option(struct config_file* cfg, const char* opt, else S_STRLIST("additional-tls-port:", tls_additional_port) else S_STRLIST("tls-additional-ports:", tls_additional_port) else S_STRLIST("tls-additional-port:", tls_additional_port) - else S_STR("tls_ciphers:", tls_ciphers) - else S_STR("tls_ciphersuites:", tls_ciphersuites) + else S_STR("tls-ciphers:", tls_ciphers) + else S_STR("tls-ciphersuites:", tls_ciphersuites) else S_YNO("interface-automatic:", if_automatic) else S_YNO("use-systemd:", use_systemd) else S_YNO("do-daemonize:", do_daemonize) @@ -1362,6 +1362,8 @@ config_delete(struct config_file* cfg) free(cfg->ssl_service_pem); free(cfg->tls_cert_bundle); config_delstrlist(cfg->tls_additional_port); + free(cfg->tls_ciphers); + free(cfg->tls_ciphersuites); free(cfg->log_identity); config_del_strarray(cfg->ifs, cfg->num_ifs); config_del_strarray(cfg->out_ifs, cfg->num_out_ifs); diff --git a/util/config_file.h b/util/config_file.h index 3a8efce8d..f61fff269 100644 --- a/util/config_file.h +++ b/util/config_file.h @@ -120,9 +120,9 @@ struct config_file { int tls_win_cert; /** additional tls ports */ struct config_strlist* tls_additional_port; - /** TLS chiper **/ + /** TLS ciphers */ char* tls_ciphers; - /** TLS chipersuites (TLSv1.3) **/ + /** TLS chipersuites (TLSv1.3) */ char* tls_ciphersuites; /** outgoing port range number of ports (per thread) */