diff --git a/libs/getdns/Makefile b/libs/getdns/Makefile index a7f9576194..40e559ef45 100644 --- a/libs/getdns/Makefile +++ b/libs/getdns/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=getdns -PKG_VERSION:=1.5.0 +PKG_VERSION:=1.5.2 PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause @@ -14,7 +14,7 @@ PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz PKG_SOURCE_URL:=https://getdnsapi.net/dist/ -PKG_HASH:=577182c3ace919ee70cee5629505581a10dc530bd53fe5c241603ea91c84fa84 +PKG_HASH:=1826a6a221ea9e9301f2c1f5d25f6f5588e841f08b967645bf50c53b970694c0 PKG_FIXUP:=autoreconf diff --git a/net/stubby/Makefile b/net/stubby/Makefile index afda53ed8c..20e60ad6ca 100644 --- a/net/stubby/Makefile +++ b/net/stubby/Makefile @@ -5,7 +5,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=stubby -PKG_VERSION:=0.2.4 +PKG_VERSION:=0.2.6 PKG_RELEASE:=1 PKG_LICENSE:=BSD-3-Clause @@ -13,10 +13,9 @@ PKG_LICENSE_FILES:=COPYING PKG_MAINTAINER:=Jonathan Underwood PKG_SOURCE_PROTO:=git -PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz PKG_SOURCE_URL:=https://github.com/getdnsapi/$(PKG_NAME) -PKG_SOURCE_VERSION:=58200cadec6371f95e31a7f3735225c5a46ecf75 -PKG_MIRROR_HASH:=28c46f4464cb41cf59264d10da63dc25ece9a1d00b4dfb05a9276594658e5eb9 +PKG_SOURCE_VERSION:=v$(PKG_VERSION) +PKG_MIRROR_HASH:=af896c471ac67b31c2263d11fcdfcdb32a213621c2f8789f4b0a4ceca4437108 PKG_FIXUP:=autoreconf diff --git a/net/stubby/files/README.md b/net/stubby/files/README.md index 9703573ec0..bc5344cd80 100644 --- a/net/stubby/files/README.md +++ b/net/stubby/files/README.md @@ -372,7 +372,33 @@ The possible levels are: This option specifies additional command line arguments for stubby daemon. By default, this is an empty string. - + +#### `option tls_cipher_list` + +If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL +1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set +with the `tls_ciphersuites` option. This option can also be given per upstream +resolver. By default, this option is not set. + +#### `option tls_ciphersuites` + +If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL +version 1.1.1 or greater is required for this option. This option can also be +given per upstream resolver. By default, this option is not set. + +#### `option tls_min_version` + +If set, this specifies the minimum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. This option can also be given per upstream resolver. By +default, this option is not set. + +#### `option tls_max_version` + +If set, this specifies the maximum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. This option can also be given per upstream resolver. By +default, this option is not set. + + ### `resolver` section options #### `option address` @@ -385,10 +411,40 @@ IPv6 address. This option specifies the upstream domain name used for TLS authentication with the supplied server certificate +#### `option tls_port` + +This option specifies the TLS port for the upstream resolver. If not specified, +this defaults to 853. + +#### `option tls_cipher_list` + +If set, this specifies the acceptable ciphers for DNS over TLS. With OpenSSL +1.1.1 this list is for TLS1.2 and older only. Ciphers for TLS1.3 should be set +with the `tls_ciphersuites` option. By default, this option is not set. If set, +this overrides the global value. + +#### `option tls_ciphersuites` + +If set, this specifies the acceptable cipher for DNS over TLS1.3. OpenSSL +version 1.1.1 or greater is required for this option. By default, this option is +not set. If set, this overrides the global value. + +#### `option tls_min_version` + +If set, this specifies the minimum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. By default, this option is not set. If set, this +overrides the global value. + +#### `option tls_max_version` + +If set, this specifies the maximum acceptable TLS version. Works with OpenSSL +1.1.1 or greater only. By default, this options is not set. If set, this +overrides the global value. + #### `list spki` This list specifies the SPKI pinset which is verified against the keys in the -server cerrtificate. The values takes the form `'/value>'`, where +server cerrtificate. The value takes the form `'/value>'`, where the `digest type` is the hashing algorithm used, and the value is the Base64 encoded hash of the public key. At present, only `sha256` is supported for the digest type. diff --git a/net/stubby/files/stubby.conf b/net/stubby/files/stubby.conf index a02936da13..f722a43046 100644 --- a/net/stubby/files/stubby.conf +++ b/net/stubby/files/stubby.conf @@ -19,24 +19,48 @@ config stubby 'global' list listen_address '0::1@5453' # option log_level '7' # option command_line_arguments '' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' # Upstream resolvers are specified using 'resolver' sections. config resolver option address '2606:4700:4700::1111' option tls_auth_name 'cloudflare-dns.com' + # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '2606:4700:4700::1001' option tls_auth_name 'cloudflare-dns.com' + # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '1.1.1.1' option tls_auth_name 'cloudflare-dns.com' + # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' config resolver option address '1.0.0.1' option tls_auth_name 'cloudflare-dns.com' + # option tls_port 853 # list spki 'sha256/yioEpqeR4WtDwE9YxNVnCEkTxIjx6EEIwFSQW+lJsbc=' + # option tls_cipher_list 'EECDH+AESGCM:EECDH+CHACHA20' + # option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256' + # option tls_min_version '1.2' + # option tls_max_version '1.3' diff --git a/net/stubby/files/stubby.init b/net/stubby/files/stubby.init index 4a975e39d5..cf051a1404 100755 --- a/net/stubby/files/stubby.init +++ b/net/stubby/files/stubby.init @@ -38,6 +38,10 @@ generate_config() local upstream_recursive_servers_section=0 local command_line_arguments local log_level + local tls_cipher_list + local tls_ciphersuites + local tls_min_version + local tls_max_version # Generate configuration. See: https://github.com/getdnsapi/stubby/blob/develop/stubby.yml.example echo "# Autogenerated configuration from uci data" > "$config_file" @@ -93,6 +97,26 @@ generate_config() config_get idle_timeout "global" idle_timeout "10000" echo "idle_timeout: $idle_timeout" >> "$config_file" + config_get tls_cipher_list "global" tls_cipher_list "" + if [ -n "$tls_cipher_list" ]; then + echo "tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file" + fi + + config_get tls_ciphersuites "global" tls_ciphersuites "" + if [ -n "$tls_ciphersuites" ]; then + echo "tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file" + fi + + config_get tls_min_version "global" tls_min_version "" + if [ -n "$tls_min_version" ]; then + echo "tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file" + fi + + config_get tls_max_version "global" tls_max_version "" + if [ -n "$tls_max_version" ]; then + echo "tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file" + fi + handle_listen_address_value() { local value="$1" @@ -122,21 +146,52 @@ generate_config() local config=$1 local address local tls_auth_name + local tls_port local tls_pubkey_pinset_section=0 + local tls_cipher_list + local tls_ciphersuites + local tls_min_version + local tls_max_version if [ "$upstream_recursive_servers_section" = 0 ]; then echo "upstream_recursive_servers:" >> "$config_file" upstream_recursive_servers_section=1 fi config_get address "$config" address - config_get tls_auth_name "$config" tls_auth_name echo " - address_data: $address" >> "$config_file" + + config_get tls_auth_name "$config" tls_auth_name echo " tls_auth_name: \"$tls_auth_name\"" >> "$config_file" + config_get tls_auth_port "$config" tls_port "" + if [ -n "$tls_port" ]; then + echo " tls_port: $tls_port" >> "$config_file" + fi + + config_get tls_cipher_list "$config" tls_cipher_list "" + if [ -n "$tls_cipher_list" ]; then + echo " tls_cipher_list: \"$tls_cipher_list\"" >> "$config_file" + fi + + config_get tls_ciphersuites "$config" tls_ciphersuites "" + if [ -n "$tls_ciphersuites" ]; then + echo " tls_ciphersuites: \"$tls_ciphersuites\"" >> "$config_file" + fi + + config_get tls_min_version "$config" tls_min_version "" + if [ -n "$tls_min_version" ]; then + echo " tls_min_version: GETDNS_TLS${tls_min_version/\./_}" >> "$config_file" + fi + + config_get tls_max_version "$config" tls_max_version "" + if [ -n "$tls_max_version" ]; then + echo " tls_max_version: GETDNS_TLS${tls_max_version/\./_}" >> "$config_file" + fi + handle_resolver_spki() { local val="$1" - local digest="${val%/*}" + local digest="${val%%/*}" local value="${val#*/}" if [ "$tls_pubkey_pinset_section" = 0 ]; then diff --git a/net/stubby/files/stubby.yml b/net/stubby/files/stubby.yml index 655352deb2..b935f3169f 100644 --- a/net/stubby/files/stubby.yml +++ b/net/stubby/files/stubby.yml @@ -17,7 +17,7 @@ dns_transport_list: upstream_recursive_servers: - address_data: 2606:4700:4700::1111 tls_auth_name: "cloudflare-dns.com" - - address_data: 2606:4700:4700::1111 + - address_data: 2606:4700:4700::1001 tls_auth_name: "cloudflare-dns.com" - address_data: 1.1.1.1 tls_auth_name: "cloudflare-dns.com"