policy.TLS_FORWARD: send SNI on wire if configured (!762) · Merge requests · Knot projects / Knot Resolver

Merged Vladimír Čunát requested to merge tls-sni into master 6 years ago

Feb 25, 2019
- daemon: improve readability of TLS parameter handling · 9a59a4d9
  Petr Špaček authored 6 years ago
  
  Verified
  
  9a59a4d9
- daemon: split TLS authentication into smaller functions · e7d8066d
  Petr Špaček authored 6 years ago
  
  Verified
  
  e7d8066d
- nitpicks · 6bd23d70
  Petr Špaček authored 6 years ago
  
  Verified
  
  6bd23d70
Feb 22, 2019

daemon: rework handling of TLS authentication params · 81b1450e

Vladimír Čunát authored 6 years ago and

Petr Špaček committed 6 years ago

It's mainly about the way we parse and validate them.

Almost all of the parts of validation that were being done
in modules/policy/policy.lua and daemon/tls.c got moved
to daemon/bindings/net.c, so it's easier to follow that.
Also more checks are being done now, e.g. contents of .pin_sha256
and .hostname strings.

Verified

81b1450e

policy.TLS_FORWARD: send SNI on wire if configured · a4284580

Vladimír Čunát authored 6 years ago and

Petr Špaček committed 6 years ago

In https world it's standard to do that, and it's relied on.
Real-life example: 8.8.8.8#853 over TLSv1.3 won't send a certificate
if we don't send SNI (no idea why; also they do send it with TLSv1.2).

As a consequence, we no longer allow multiple hostnames per
address-port tuple, but that didn't seem useful.

Verified

a4284580

Admin message

policy.TLS_FORWARD: send SNI on wire if configured

Merge request reports

Activity