Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago

The control structure is part of the resolver context.

Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago

Use ENABLE_cookies=yes variable to compile functionality.

Karel Slaný authored 8 years ago and Ondřej Surý committed 8 years ago

Cookies are not stored in separate cache.

Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago

RFC 7858 explicitly defines an out-of-band key pinning profile as one
authentication mechanism.  It uses the same format for representing
the pin as HPKP does (RFC 7469).

By logging this pin directly upon first use of the X.509 credentials,
we make it a little bit easier for an admin to publish part of a
pinset.

For ideal operation (including preparation for key rollover), a backup
public key should also be provided, but this is not defined
functionally here.

Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago

We also propagate kresd's verbosity into the TLS logging level

Marek Vavrusa authored 8 years ago and Ondřej Surý committed 8 years ago

there are cases where switches or middle-boxes
block DNS/UDP answers >512 octets completely,
this gives user an option to mitigate that.
however, there are authoritatives serving
large answers that don't support TCP, so it's
a compromise as always

Daniel Kahn Gillmor authored 8 years ago and Ondřej Surý committed 8 years ago

kresd has --tls/-t by analogy with --addr/-a where the daemon opens
the socket itself.

This changeset adds equivalent functionality for inherited sockets:
--tlsfd/-T by analogy with --fd/-Sa