This option specifies additional command line arguments for
stubby daemon. By default, this is an empty string.
-
+
+#### `option tls_cipher_list`
+
+If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
+1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
+with the `tls_ciphersuites` option. This option can also be given per upstream
+resolver. By default, this option is not set.
+
+#### `option tls_ciphersuites`
+
+If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
+version 1.1.1 or greater is required for this option. This option can also be
+given per upstream resolver. By default, this option is not set.
+
+#### `option tls_min_version`
+
+If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
+1.1.1 or greater only. This option can also be given per upstream resolver. By
+default, this option is not set.
+
+#### `option tls_max_version`
+
+If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
+1.1.1 or greater only. This option can also be given per upstream resolver. By
+default, this option is not set.
+
+
### `resolver` section options
#### `option address`
This option specifies the TLS port for the upstream resolver. If not specified,
this defaults to 853.
+#### `option tls_cipher_list`
+
+If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL
+1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set
+with the `tls_ciphersuites` option. By default, this option is not set. If set,
+this overrides the global value.
+
+#### `option tls_ciphersuites`
+
+If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL
+version 1.1.1 or greater is required for this option. By default, this option is
+not set. If set, this overrides the global value.
+
+#### `option tls_min_version`
+
+If set, this specifies the minimum acceptable TLS version. Works with OpenSSL
+1.1.1 or greater only. By default, this option is not set. If set, this
+overrides the global value.
+
+#### `option tls_max_version`
+
+If set, this specifies the maximum acceptable TLS version. Works with OpenSSL
+1.1.1 or greater only. By default, this options is not set. If set, this
+overrides the global value.
+
#### `list spki`
This list specifies the SPKI pinset which is verified against the keys in the
list listen_address '0::1@5453'
# option log_level '7'
# option command_line_arguments ''
+ # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+ # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+ # option tls_min_version '1.2'
+ # option tls_max_version '1.3'
# Upstream resolvers are specified using 'resolver' sections.
config resolver
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
+ # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+ # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+ # option tls_min_version '1.2'
+ # option tls_max_version '1.3'
config resolver
option address '2606:4700:4700::1001'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
+ # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+ # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+ # option tls_min_version '1.2'
+ # option tls_max_version '1.3'
config resolver
option address '1.1.1.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
+ # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+ # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+ # option tls_min_version '1.2'
+ # option tls_max_version '1.3'
config resolver
option address '1.0.0.1'
option tls_auth_name 'cloudflare-dns.com'
# option tls_port 853
# list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc='
+ # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20'
+ # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'
+ # option tls_min_version '1.2'
+ # option tls_max_version '1.3'
local upstream_recursive_servers_section=0
local command_line_arguments
local log_level
+ local tls_cipher_list
+ local tls_ciphersuites
+ local tls_min_version
+ local tls_max_version
# Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example
echo "# Autogenerated configuration from uci data" > "$config_file"
config_get idle_timeout "global" idle_timeout "10000"
echo "idle_timeout: $idle_timeout" >> "$config_file"
+ config_get tls_cipher_list "global" tls_cipher_list ""
+ if [ -n "$tls_cipher_list" ]; then
+ echo "tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
+ fi
+
+ config_get tls_ciphersuites "global" tls_ciphersuites ""
+ if [ -n "$tls_ciphersuites" ]; then
+ echo "tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
+ fi
+
+ config_get tls_min_version "global" tls_min_version ""
+ if [ -n "$tls_min_version" ]; then
+ echo "tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
+ fi
+
+ config_get tls_max_version "global" tls_max_version ""
+ if [ -n "$tls_max_version" ]; then
+ echo "tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
+ fi
+
handle_listen_address_value()
{
local value="$1"
local tls_auth_name
local tls_port
local tls_pubkey_pinset_section=0
+ local tls_cipher_list
+ local tls_ciphersuites
+ local tls_min_version
+ local tls_max_version
if [ "$upstream_recursive_servers_section" = 0 ]; then
echo "upstream_recursive_servers:" >> "$config_file"
upstream_recursive_servers_section=1
fi
config_get address "$config" address
- config_get tls_auth_name "$config" tls_auth_name
- config_get tls_auth_port "$config" tls_port ""
echo " - address_data: $address" >> "$config_file"
+
+ config_get tls_auth_name "$config" tls_auth_name
echo " tls_auth_name: \"$tls_auth_name\"" >> "$config_file"
+
+ config_get tls_auth_port "$config" tls_port ""
if [ -n "$tls_port" ]; then
echo " tls_port: $tls_port" >> "$config_file"
fi
+ config_get tls_cipher_list "$config" tls_cipher_list ""
+ if [ -n "$tls_cipher_list" ]; then
+ echo " tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file"
+ fi
+
+ config_get tls_ciphersuites "$config" tls_ciphersuites ""
+ if [ -n "$tls_ciphersuites" ]; then
+ echo " tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file"
+ fi
+
+ config_get tls_min_version "$config" tls_min_version ""
+ if [ -n "$tls_min_version" ]; then
+ echo " tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file"
+ fi
+
+ config_get tls_max_version "$config" tls_max_version ""
+ if [ -n "$tls_max_version" ]; then
+ echo " tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file"
+ fi
+
handle_resolver_spki()
{
local val="$1"
git.99rst.org / openwrt-packages.git / commitdiff