Daniel Kahn Gillmor
authored
If kresd is configured to listen using TLS, but it has no credentials, it should fall back to generating ephemeral credentials and using them. It stores the ephemerally-generated secret key in the same directory as the cache, using the name "ephemeral_key.pem". If the cache persists, then the key will too, even if the daemon dies. This means that any set of daemons that share a cache will also share an ephemeral secret key. The ephemeral X.509 certificate that corresponds to the key will be automatically generated (self-signed), will have a lifetime of about 90 days (matching Let's Encrypt policy). The ephemeral cert is never written to disk; it is always dynamically-generated by kresd. This should make it very easy to get DNS-over-TLS working in opportunistic mode.
| Name | Last commit | Last update |
|---|---|---|
| .. | ||
| lua | ||
| README.rst | ||
| bindings.c | ||
| bindings.h | ||
| daemon.mk | ||
| engine.c | ||
| engine.h | ||
| ffimodule.c | ||
| ffimodule.h | ||
| io.c | ||
| io.h | ||
| main.c | ||
| network.c | ||
| network.h | ||
| tls.c | ||
| tls.h | ||
| tls_ephemeral_credentials.c | ||
| worker.c | ||
| worker.h | ||