mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
ssl_port setting, so that the dnssec-trigger server can be on one host machine.
git-svn-id: file:///svn/unbound/trunk@2539 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
a798dcb5bd
commit
8f5596f643
@ -1,3 +1,6 @@
|
|||||||
|
8 November 2011: Wouter
|
||||||
|
- can configure ssl service to one port number, and not on others.
|
||||||
|
|
||||||
1 November 2011: Wouter
|
1 November 2011: Wouter
|
||||||
- dns over ssl support as a client, ssl-upstream yes turns it on.
|
- dns over ssl support as a client, ssl-upstream yes turns it on.
|
||||||
It performs an SSL transaction for every DNS query (250 msec).
|
It performs an SSL transaction for every DNS query (250 msec).
|
||||||
|
@ -458,6 +458,7 @@ server:
|
|||||||
# default is "" (disabled). requires restart to take effect.
|
# default is "" (disabled). requires restart to take effect.
|
||||||
# ssl-service-key: "path/to/privatekeyfile.key"
|
# ssl-service-key: "path/to/privatekeyfile.key"
|
||||||
# ssl-service-pem: "path/to/publiccertfile.pem"
|
# ssl-service-pem: "path/to/publiccertfile.pem"
|
||||||
|
# ssl-port: 443
|
||||||
|
|
||||||
# request upstream over SSL (with plain DNS inside the SSL stream).
|
# request upstream over SSL (with plain DNS inside the SSL stream).
|
||||||
# Default is no. Can be turned on and off with unbound-control.
|
# Default is no. Can be turned on and off with unbound-control.
|
||||||
|
@ -315,6 +315,10 @@ suffixes in the \fBinterface\fR config.
|
|||||||
The public key certificate pem file for the ssl service. Default is "",
|
The public key certificate pem file for the ssl service. Default is "",
|
||||||
turned off.
|
turned off.
|
||||||
.TP
|
.TP
|
||||||
|
.B ssl\-port: \fI<number>
|
||||||
|
The port number on which to provide TCP SSL service, default 443, only
|
||||||
|
interfaces configured with that port number as @number get the SSL service.
|
||||||
|
.TP
|
||||||
.B do\-daemonize: \fI<yes or no>
|
.B do\-daemonize: \fI<yes or no>
|
||||||
Enable or disable whether the unbound server forks into the background as
|
Enable or disable whether the unbound server forks into the background as
|
||||||
a daemon. Default is yes.
|
a daemon. Default is yes.
|
||||||
|
@ -632,12 +632,13 @@ set_recvpktinfo(int s, int family)
|
|||||||
* @param list: list of open ports, appended to, changed to point to list head.
|
* @param list: list of open ports, appended to, changed to point to list head.
|
||||||
* @param rcv: receive buffer size for UDP
|
* @param rcv: receive buffer size for UDP
|
||||||
* @param snd: send buffer size for UDP
|
* @param snd: send buffer size for UDP
|
||||||
|
* @param ssl_port: ssl service port number
|
||||||
* @return: returns false on error.
|
* @return: returns false on error.
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||||
struct addrinfo *hints, const char* port, struct listen_port** list,
|
struct addrinfo *hints, const char* port, struct listen_port** list,
|
||||||
size_t rcv, size_t snd)
|
size_t rcv, size_t snd, int ssl_port)
|
||||||
{
|
{
|
||||||
int s, noip6=0;
|
int s, noip6=0;
|
||||||
if(!do_udp && !do_tcp)
|
if(!do_udp && !do_tcp)
|
||||||
@ -682,6 +683,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
if(do_tcp) {
|
if(do_tcp) {
|
||||||
|
int is_ssl = ((strchr(ifname, '@') &&
|
||||||
|
atoi(strchr(ifname, '@')+1) == ssl_port) ||
|
||||||
|
(!strchr(ifname, '@') && atoi(port) == ssl_port));
|
||||||
if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
|
if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
|
||||||
&noip6, 0, 0)) == -1) {
|
&noip6, 0, 0)) == -1) {
|
||||||
if(noip6) {
|
if(noip6) {
|
||||||
@ -690,7 +694,10 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||||||
}
|
}
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
if(!port_insert(list, s, listen_type_tcp)) {
|
if(is_ssl)
|
||||||
|
verbose(VERB_ALGO, "setup TCP for SSL service");
|
||||||
|
if(!port_insert(list, s, is_ssl?listen_type_ssl:
|
||||||
|
listen_type_tcp)) {
|
||||||
#ifndef USE_WINSOCK
|
#ifndef USE_WINSOCK
|
||||||
close(s);
|
close(s);
|
||||||
#else
|
#else
|
||||||
@ -736,9 +743,6 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
|||||||
free(front);
|
free(front);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
if(sslctx) {
|
|
||||||
verbose(VERB_ALGO, "setup for SSL-wrapped TCP service");
|
|
||||||
}
|
|
||||||
|
|
||||||
/* create comm points as needed */
|
/* create comm points as needed */
|
||||||
while(ports) {
|
while(ports) {
|
||||||
@ -746,7 +750,10 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
|||||||
if(ports->ftype == listen_type_udp)
|
if(ports->ftype == listen_type_udp)
|
||||||
cp = comm_point_create_udp(base, ports->fd,
|
cp = comm_point_create_udp(base, ports->fd,
|
||||||
front->udp_buff, cb, cb_arg);
|
front->udp_buff, cb, cb_arg);
|
||||||
else if(ports->ftype == listen_type_tcp) {
|
else if(ports->ftype == listen_type_tcp)
|
||||||
|
cp = comm_point_create_tcp(base, ports->fd,
|
||||||
|
tcp_accept_count, bufsize, cb, cb_arg);
|
||||||
|
else if(ports->ftype == listen_type_ssl) {
|
||||||
cp = comm_point_create_tcp(base, ports->fd,
|
cp = comm_point_create_tcp(base, ports->fd,
|
||||||
tcp_accept_count, bufsize, cb, cb_arg);
|
tcp_accept_count, bufsize, cb, cb_arg);
|
||||||
cp->ssl = sslctx;
|
cp->ssl = sslctx;
|
||||||
@ -834,7 +841,8 @@ listening_ports_open(struct config_file* cfg)
|
|||||||
if(!ports_create_if(do_auto?"::0":"::1",
|
if(!ports_create_if(do_auto?"::0":"::1",
|
||||||
do_auto, cfg->do_udp, do_tcp,
|
do_auto, cfg->do_udp, do_tcp,
|
||||||
&hints, portbuf, &list,
|
&hints, portbuf, &list,
|
||||||
cfg->so_rcvbuf, cfg->so_sndbuf)) {
|
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||||
|
cfg->ssl_port)) {
|
||||||
listening_ports_free(list);
|
listening_ports_free(list);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -844,7 +852,8 @@ listening_ports_open(struct config_file* cfg)
|
|||||||
if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1",
|
if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1",
|
||||||
do_auto, cfg->do_udp, do_tcp,
|
do_auto, cfg->do_udp, do_tcp,
|
||||||
&hints, portbuf, &list,
|
&hints, portbuf, &list,
|
||||||
cfg->so_rcvbuf, cfg->so_sndbuf)) {
|
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||||
|
cfg->ssl_port)) {
|
||||||
listening_ports_free(list);
|
listening_ports_free(list);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -856,7 +865,8 @@ listening_ports_open(struct config_file* cfg)
|
|||||||
hints.ai_family = AF_INET6;
|
hints.ai_family = AF_INET6;
|
||||||
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
||||||
do_tcp, &hints, portbuf, &list,
|
do_tcp, &hints, portbuf, &list,
|
||||||
cfg->so_rcvbuf, cfg->so_sndbuf)) {
|
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||||
|
cfg->ssl_port)) {
|
||||||
listening_ports_free(list);
|
listening_ports_free(list);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
@ -866,7 +876,8 @@ listening_ports_open(struct config_file* cfg)
|
|||||||
hints.ai_family = AF_INET;
|
hints.ai_family = AF_INET;
|
||||||
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
||||||
do_tcp, &hints, portbuf, &list,
|
do_tcp, &hints, portbuf, &list,
|
||||||
cfg->so_rcvbuf, cfg->so_sndbuf)) {
|
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||||
|
cfg->ssl_port)) {
|
||||||
listening_ports_free(list);
|
listening_ports_free(list);
|
||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
@ -82,7 +82,9 @@ enum listen_type {
|
|||||||
/** tcp type */
|
/** tcp type */
|
||||||
listen_type_tcp,
|
listen_type_tcp,
|
||||||
/** udp ipv6 (v4mapped) for use with ancillary data */
|
/** udp ipv6 (v4mapped) for use with ancillary data */
|
||||||
listen_type_udpancil
|
listen_type_udpancil,
|
||||||
|
/** ssl over tcp type */
|
||||||
|
listen_type_ssl
|
||||||
};
|
};
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -90,6 +90,7 @@ config_create(void)
|
|||||||
cfg->tcp_upstream = 0;
|
cfg->tcp_upstream = 0;
|
||||||
cfg->ssl_service_key = NULL;
|
cfg->ssl_service_key = NULL;
|
||||||
cfg->ssl_service_pem = NULL;
|
cfg->ssl_service_pem = NULL;
|
||||||
|
cfg->ssl_port = 443;
|
||||||
cfg->ssl_upstream = 0;
|
cfg->ssl_upstream = 0;
|
||||||
cfg->use_syslog = 1;
|
cfg->use_syslog = 1;
|
||||||
cfg->log_time_ascii = 0;
|
cfg->log_time_ascii = 0;
|
||||||
@ -332,6 +333,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
|||||||
else S_YNO("ssl-upstream:", ssl_upstream)
|
else S_YNO("ssl-upstream:", ssl_upstream)
|
||||||
else S_STR("ssl-service-key:", ssl_service_key)
|
else S_STR("ssl-service-key:", ssl_service_key)
|
||||||
else S_STR("ssl-service-pem:", ssl_service_pem)
|
else S_STR("ssl-service-pem:", ssl_service_pem)
|
||||||
|
else S_NUMBER_NONZERO("ssl-port:", ssl_port)
|
||||||
else S_YNO("interface-automatic:", if_automatic)
|
else S_YNO("interface-automatic:", if_automatic)
|
||||||
else S_YNO("do-daemonize:", do_daemonize)
|
else S_YNO("do-daemonize:", do_daemonize)
|
||||||
else S_NUMBER_NONZERO("port:", port)
|
else S_NUMBER_NONZERO("port:", port)
|
||||||
@ -583,6 +585,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
|||||||
else O_YNO(opt, "ssl-upstream", ssl_upstream)
|
else O_YNO(opt, "ssl-upstream", ssl_upstream)
|
||||||
else O_STR(opt, "ssl-service-key", ssl_service_key)
|
else O_STR(opt, "ssl-service-key", ssl_service_key)
|
||||||
else O_STR(opt, "ssl-service-pem", ssl_service_pem)
|
else O_STR(opt, "ssl-service-pem", ssl_service_pem)
|
||||||
|
else O_DEC(opt, "ssl-port", ssl_port)
|
||||||
else O_YNO(opt, "do-daemonize", do_daemonize)
|
else O_YNO(opt, "do-daemonize", do_daemonize)
|
||||||
else O_STR(opt, "chroot", chrootdir)
|
else O_STR(opt, "chroot", chrootdir)
|
||||||
else O_STR(opt, "username", username)
|
else O_STR(opt, "username", username)
|
||||||
|
@ -83,6 +83,8 @@ struct config_file {
|
|||||||
char* ssl_service_key;
|
char* ssl_service_key;
|
||||||
/** public key file for dnstcp-ssl service */
|
/** public key file for dnstcp-ssl service */
|
||||||
char* ssl_service_pem;
|
char* ssl_service_pem;
|
||||||
|
/** port on which to provide ssl service */
|
||||||
|
int ssl_port;
|
||||||
/** if outgoing tcp connections use SSL */
|
/** if outgoing tcp connections use SSL */
|
||||||
int ssl_upstream;
|
int ssl_upstream;
|
||||||
|
|
||||||
|
1940
util/configlexer.c
1940
util/configlexer.c
File diff suppressed because it is too large
Load Diff
@ -140,6 +140,7 @@ tcp-upstream{COLON} { YDVAR(1, VAR_TCP_UPSTREAM) }
|
|||||||
ssl-upstream{COLON} { YDVAR(1, VAR_SSL_UPSTREAM) }
|
ssl-upstream{COLON} { YDVAR(1, VAR_SSL_UPSTREAM) }
|
||||||
ssl-service-key{COLON} { YDVAR(1, VAR_SSL_SERVICE_KEY) }
|
ssl-service-key{COLON} { YDVAR(1, VAR_SSL_SERVICE_KEY) }
|
||||||
ssl-service-pem{COLON} { YDVAR(1, VAR_SSL_SERVICE_PEM) }
|
ssl-service-pem{COLON} { YDVAR(1, VAR_SSL_SERVICE_PEM) }
|
||||||
|
ssl-port{COLON} { YDVAR(1, VAR_SSL_PORT) }
|
||||||
do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) }
|
do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) }
|
||||||
interface{COLON} { YDVAR(1, VAR_INTERFACE) }
|
interface{COLON} { YDVAR(1, VAR_INTERFACE) }
|
||||||
outgoing-interface{COLON} { YDVAR(1, VAR_OUTGOING_INTERFACE) }
|
outgoing-interface{COLON} { YDVAR(1, VAR_OUTGOING_INTERFACE) }
|
||||||
|
File diff suppressed because it is too large
Load Diff
@ -159,7 +159,8 @@
|
|||||||
VAR_TCP_UPSTREAM = 376,
|
VAR_TCP_UPSTREAM = 376,
|
||||||
VAR_SSL_UPSTREAM = 377,
|
VAR_SSL_UPSTREAM = 377,
|
||||||
VAR_SSL_SERVICE_KEY = 378,
|
VAR_SSL_SERVICE_KEY = 378,
|
||||||
VAR_SSL_SERVICE_PEM = 379
|
VAR_SSL_SERVICE_PEM = 379,
|
||||||
|
VAR_SSL_PORT = 380
|
||||||
};
|
};
|
||||||
#endif
|
#endif
|
||||||
/* Tokens. */
|
/* Tokens. */
|
||||||
@ -285,6 +286,7 @@
|
|||||||
#define VAR_SSL_UPSTREAM 377
|
#define VAR_SSL_UPSTREAM 377
|
||||||
#define VAR_SSL_SERVICE_KEY 378
|
#define VAR_SSL_SERVICE_KEY 378
|
||||||
#define VAR_SSL_SERVICE_PEM 379
|
#define VAR_SSL_SERVICE_PEM 379
|
||||||
|
#define VAR_SSL_PORT 380
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
@ -301,7 +303,7 @@ typedef union YYSTYPE
|
|||||||
|
|
||||||
|
|
||||||
/* Line 1685 of yacc.c */
|
/* Line 1685 of yacc.c */
|
||||||
#line 305 "util/configparser.h"
|
#line 307 "util/configparser.h"
|
||||||
} YYSTYPE;
|
} YYSTYPE;
|
||||||
# define YYSTYPE_IS_TRIVIAL 1
|
# define YYSTYPE_IS_TRIVIAL 1
|
||||||
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
||||||
|
@ -103,7 +103,7 @@ extern struct config_parser_state* cfg_parser;
|
|||||||
%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
|
%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
|
||||||
%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_HARDEN_BELOW_NXDOMAIN
|
%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_HARDEN_BELOW_NXDOMAIN
|
||||||
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
|
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
|
||||||
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM
|
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT
|
||||||
|
|
||||||
%%
|
%%
|
||||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||||
@ -159,7 +159,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
|||||||
server_edns_buffer_size | server_prefetch | server_prefetch_key |
|
server_edns_buffer_size | server_prefetch | server_prefetch_key |
|
||||||
server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
|
server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
|
||||||
server_log_queries | server_tcp_upstream | server_ssl_upstream |
|
server_log_queries | server_tcp_upstream | server_ssl_upstream |
|
||||||
server_ssl_service_key | server_ssl_service_pem
|
server_ssl_service_key | server_ssl_service_pem | server_ssl_port
|
||||||
;
|
;
|
||||||
stubstart: VAR_STUB_ZONE
|
stubstart: VAR_STUB_ZONE
|
||||||
{
|
{
|
||||||
@ -399,6 +399,15 @@ server_ssl_service_pem: VAR_SSL_SERVICE_PEM STRING_ARG
|
|||||||
cfg_parser->cfg->ssl_service_pem = $2;
|
cfg_parser->cfg->ssl_service_pem = $2;
|
||||||
}
|
}
|
||||||
;
|
;
|
||||||
|
server_ssl_port: VAR_SSL_PORT STRING_ARG
|
||||||
|
{
|
||||||
|
OUTYY(("P(server_ssl_port:%s)\n", $2));
|
||||||
|
if(atoi($2) == 0)
|
||||||
|
yyerror("port number expected");
|
||||||
|
else cfg_parser->cfg->ssl_port = atoi($2);
|
||||||
|
free($2);
|
||||||
|
}
|
||||||
|
;
|
||||||
server_do_daemonize: VAR_DO_DAEMONIZE STRING_ARG
|
server_do_daemonize: VAR_DO_DAEMONIZE STRING_ARG
|
||||||
{
|
{
|
||||||
OUTYY(("P(server_do_daemonize:%s)\n", $2));
|
OUTYY(("P(server_do_daemonize:%s)\n", $2));
|
||||||
|
Loading…
Reference in New Issue
Block a user