Disable unused 'tls' clause options: 'ca-file' and 'hostname'

This commit disables the unused 'tls' clause options. For these some
backing code exists, but their values are not really used anywhere,
nor there are sufficient syntax tests for them.

These options are only disabled temporarily, until TLS certificate
verification gets implemented.

bin/named/named.conf.rst

@@ -561,11 +561,9 @@ TLS
 ::
 
   tls string {
-  	ca-file quoted_string;
   	cert-file quoted_string;
   	ciphers string;
   	dhparam-file quoted_string;
-  	hostname quoted_string;
   	key-file quoted_string;
   	prefer-server-ciphers boolean;
   	protocols { string; ... };

bin/named/transportconf.c

@@ -71,10 +71,16 @@ add_doh_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
 				       dns_transport_set_keyfile);
 		parse_transport_option(doh, transport, "cert-file",
 				       dns_transport_set_certfile);
+#if 0
+		/*
+		 * The following two options need to remain unavailable until
+		 * TLS certificate verification gets implemented.
+		 */
 		parse_transport_option(doh, transport, "ca-file",
 				       dns_transport_set_cafile);
 		parse_transport_option(doh, transport, "hostname",
 				       dns_transport_set_hostname);
+#endif
 	}
 
 	return (ISC_R_SUCCESS);
@@ -115,10 +121,16 @@ add_tls_transports(const cfg_obj_t *transportlist, dns_transport_list_t *list) {
 				       dns_transport_set_keyfile);
 		parse_transport_option(tls, transport, "cert-file",
 				       dns_transport_set_certfile);
+#if 0
+		/*
+		 * The following two options need to remain unavailable until
+		 * TLS certificate verification gets implemented.
+		 */
 		parse_transport_option(tls, transport, "ca-file",
 				       dns_transport_set_cafile);
 		parse_transport_option(tls, transport, "hostname",
 				       dns_transport_set_hostname);
+#endif
 	}
 
 	return (ISC_R_SUCCESS);

bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf

@@ -12,5 +12,4 @@
 # In some cases a "tls" statement may omit key-file and cert-file.
 tls local-tls {
     protocols {TLSv1.2;};
-    hostname "fqdn.example.com";
 };

doc/arm/reference.rst

@@ -293,7 +293,7 @@ The following statements are supported:
         Declares communication channels to get access to ``named`` statistics.
 
     ``tls``
-        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``ca-file``, ``dhparam-file``, ``hostname``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
+        Specifies configuration information for a TLS connection, including a ``key-file``, ``cert-file``, ``dhparam-file``, ``ciphers``, ``protocols``, ``prefer-server-ciphers``, and ``session-tickets``.
 
     ``http``
         Specifies configuration information for an HTTP connection, including ``endponts``, ``listener-clients`` and ``streams-per-connection``.
@@ -4756,9 +4756,6 @@ The following options can be specified in a ``tls`` statement:
     Path to a file containing the TLS certificate to be used for
     the connection.
 
-  ``ca-file``
-    Path to a file containing trusted TLS certificates.
-
   ``dhparam-file``
     Path to a file containing Diffie-Hellman parameters,
     which is needed to enable the cipher suites depending on the
@@ -4766,9 +4763,6 @@ The following options can be specified in a ``tls`` statement:
     specified is essential for enabling perfect forward secrecy capable
     ciphers in TLSv1.2.
 
-  ``hostname``
-    The hostname associated with the certificate.
-
   ``protocols``
     Allowed versions of the TLS protocol. TLS version 1.2 and higher are
     supported, depending on the cryptographic library in use. Multiple

doc/man/named.conf.5in

@@ -652,11 +652,9 @@ statistics\-channels {
 .nf
 .ft C
 tls string {
-      ca\-file quoted_string;
       cert\-file quoted_string;
       ciphers string;
       dhparam\-file quoted_string;
-      hostname quoted_string;
       key\-file quoted_string;
       prefer\-server\-ciphers boolean;
       protocols { string; ... };

doc/misc/options

@@ -457,11 +457,9 @@ statistics-channels {
 }; // may occur multiple times
 
 tls <string> {
-        ca-file <quoted_string>;
         cert-file <quoted_string>;
         ciphers <string>;
         dhparam-file <quoted_string>;
-        hostname <quoted_string>;
         key-file <quoted_string>;
         prefer-server-ciphers <boolean>;
         protocols { <string>; ... };

doc/misc/options.active

@@ -454,11 +454,9 @@ statistics-channels {
 }; // may occur multiple times
 
 tls <string> {
-        ca-file <quoted_string>;
         cert-file <quoted_string>;
         ciphers <string>;
         dhparam-file <quoted_string>;
-        hostname <quoted_string>;
         key-file <quoted_string>;
         prefer-server-ciphers <boolean>;
         protocols { <string>; ... };

doc/misc/tls.grammar.rst

@@ -1,11 +1,9 @@
 ::
 
   tls <string> {
-  	ca-file <quoted_string>;
   	cert-file <quoted_string>;
   	ciphers <string>;
   	dhparam-file <quoted_string>;
-  	hostname <quoted_string>;
   	key-file <quoted_string>;
   	prefer-server-ciphers <boolean>;
   	protocols { <string>; ... };

lib/isccfg/namedconf.c

@@ -3886,8 +3886,14 @@ static cfg_type_t cfg_type_tlsprotos = { "tls_protocols",
 static cfg_clausedef_t tls_clauses[] = {
 	{ "key-file", &cfg_type_qstring, 0 },
 	{ "cert-file", &cfg_type_qstring, 0 },
+#if 0
+	/*
+	 * The following two options need to remain unavailable until TLS
+	 * certificate verification gets implemented.
+	 */
 	{ "ca-file", &cfg_type_qstring, 0 },
 	{ "hostname", &cfg_type_qstring, 0 },
+#endif
 	{ "dhparam-file", &cfg_type_qstring, 0 },
 	{ "protocols", &cfg_type_tlsprotos, 0 },
 	{ "ciphers", &cfg_type_astring, 0 },