upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-24 02:10:30 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/lib/isc
History
Artem Boldariev c759f25c7b Add "session-tickets" options to the "tls" clause 
This commit adds the ability to enable or disable stateless TLS
session resumption tickets (see RFC5077). Having this ability is
twofold.

Firstly, these tickets are encrypted by the server, and the algorithm
might be weaker than the algorithm negotiated during the TLS session
establishment (it is in general the case for TLSv1.2, but the generic
principle applies to TLSv1.3 as well, despite it having better ciphers
for session tickets). Thus, they might compromise Perfect Forward
Secrecy.

Secondly, disabling it might be necessary if the same TLS key/cert
pair is supposed to be used by multiple servers to achieve, e.g., load
balancing because the session ticket by default gets generated in
runtime, while to achieve successful session resumption ability, in
this case, would have required using a shared key.

The proper alternative to having the ability to disable stateless TLS
session resumption tickets is to implement a proper session tickets
key rollover mechanism so that key rotation might be performed
often (e.g. once an hour) to not compromise forward secrecy while
retaining the associated performance benefits. That is much more work,
though. On the other hand, having the ability to disable session
tickets allows having a deployable configuration right now in the
cases when either forward secrecy is wanted or sharing the TLS
key/cert pair between multiple servers is needed (or both).
2021-10-01 15:50:43 +03:00
..
include Add "session-tickets" options to the "tls" clause 2021-10-01 15:50:43 +03:00
netmgr Address use before NULL check warning of ievent->sock 2021-09-28 11:57:47 +10:00
tests Return non-NULL pointer on zero-sized allocations and reallocations 2021-09-23 22:17:15 +02:00
.gitignore [master] update gitignore files; use rev-parse to get srcid 2014-06-17 13:49:30 -07:00
aes.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
app.c Remove support for external applications to register libisc 2021-08-30 08:47:39 +02:00
assertions.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
astack.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
backtrace.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
base32.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
base64.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
bind9.c Remove support for external applications to register libisc 2021-08-30 08:47:39 +02:00
buffer.c Use isc_mem_reget() when growing buffer dynamically 2021-09-23 22:17:15 +02:00
commandline.c Remove LIB<*>_EXTERNAL_DATA defines 2021-07-06 05:33:48 +00:00
condition.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
counter.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
crc64.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
dir.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
entropy.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
entropy_private.h update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
errno.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
errno2result.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
errno2result.h Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
error.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
event.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
file.c Remove the mastefile-format map option 2021-09-17 07:09:50 +02:00
fsaccess.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
fsaccess_common.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
fsaccess_common_p.h update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
glob.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
hash.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
heap.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
hex.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
hmac.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
hp.c Add new isc_managers API to simplify <*>mgr create/destroy 2021-05-07 10:19:05 -07:00
ht.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
httpd.c Refactor the interface handling in the netmgr 2021-05-26 09:43:12 +02:00
interfaceiter.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
iterated_hash.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
jemalloc_shim.h Use assertions to check for failed allocations 2021-09-30 13:54:55 +02:00
lex.c Add support for parsing <tag>[=<value>] 2021-08-18 13:49:48 +10:00
lib.c Remove support for external applications to register libisc 2021-08-30 08:47:39 +02:00
log.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
Makefile.am Remove native PKCS#11 support 2021-09-09 15:35:39 +02:00
managers.c Destroy netmgr before destroying taskmgr 2021-05-07 14:28:30 -07:00
md.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
mem.c Use assertions to check for failed allocations 2021-09-30 13:54:55 +02:00
mem_p.h Use library constructor/destructor to initialize OpenSSL 2021-02-18 19:33:54 +01:00
meminfo.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
mutex.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
mutexblock.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
net.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
netaddr.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
netmgr_p.h Destroy netmgr before destroying taskmgr 2021-05-07 14:28:30 -07:00
netscope.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
nonce.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
openssl_shim.c Refactor TLSDNS module to work with libuv/ssl directly 2021-01-25 09:19:22 +01:00
openssl_shim.h Refactor TLSDNS module to work with libuv/ssl directly 2021-01-25 09:19:22 +01:00
os.c Cache the isc_os_ncpu() result 2021-07-13 09:12:04 +02:00
parseint.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
pool.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
portset.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
queue.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
quota.c Add (http-)listener-clients option (DoH quota mechanism) 2021-07-16 11:50:20 +03:00
radix.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
random.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
ratelimiter.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
regex.c Reformat sources using clang-format-11 2020-12-08 18:36:23 +01:00
region.c Reformat sources using clang-format-11 2020-12-08 18:36:23 +01:00
resource.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
result.c Remove support for external applications to register libisc 2021-08-30 08:47:39 +02:00
rwlock.c Fix unchecked return of isc_rwlock_lock and isc_rwlock_unlock 2021-07-12 13:26:29 +10:00
safe.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
serial.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
siphash.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
sockaddr.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
socket.c Remove dead code 2021-09-08 10:12:03 +00:00
socket_p.h Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
stats.c Add a function isc_stats_resize 2021-08-24 09:07:15 +02:00
stdio.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
stdtime.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
string.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
symtab.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00
syslog.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
task.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
task_p.h Destroy netmgr before destroying taskmgr 2021-05-07 14:28:30 -07:00
taskpool.c Refactor taskmgr to run on top of netmgr 2021-04-20 23:22:28 +02:00
thread.c Completely remove BIND 9 Windows support 2021-06-09 14:35:14 +02:00
time.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
timer.c The isc/platform.h header has been completely removed 2021-07-06 05:33:48 +00:00
timer_p.h Add new isc_managers API to simplify <*>mgr create/destroy 2021-05-07 10:19:05 -07:00
tls.c Add "session-tickets" options to the "tls" clause 2021-10-01 15:50:43 +03:00
tls_p.h Use library constructor/destructor to initialize OpenSSL 2021-02-18 19:33:54 +01:00
tm.c Use isdigit instead of checking character range 2021-05-05 19:15:33 +02:00
trampoline.c Synchronize the isc_trampoline API with changes needed in v9_16 2021-09-01 10:44:21 +02:00
trampoline_p.h Synchronize the isc_trampoline API with changes needed in v9_16 2021-09-01 10:44:21 +02:00
url.c cast (char) to (unsigned char) when calling is*() 2021-03-15 14:18:03 +11:00
utf8.c update all copyright headers to eliminate the typo 2020-09-14 16:20:40 -07:00