comparison core/certmanager.lua @ 14216:2ec517d8d43e

net.unbound: Enable DNSSEC by default with option for turning off You know what they say about opt-in security. Enabling DNSSEC in libunbound without a way to turn it off would likely be a problem for those whose DNS resolvers do not support, or outright block DNSSEC. The merge algorithm already in place here doesn't have a way to unset something, so instead a simpler boolean setting is introduced, similar to some existing ones like use_ipv6/4 and use_dane.
author Kim Alvefur <zash@zash.se>
date Sun, 07 Jun 2026 20:32:55 +0200
parents 4aed38a1c971
children 565debd9c37a
comparison
equal deleted inserted replaced
14215:2719dbb358c8 14216:2ec517d8d43e
211 "!PSK", -- Pre-Shared Key - not used for XMPP 211 "!PSK", -- Pre-Shared Key - not used for XMPP
212 "!SRP", -- Secure Remote Password - not used for XMPP 212 "!SRP", -- Secure Remote Password - not used for XMPP
213 "!3DES", -- 3DES - slow and of questionable security 213 "!3DES", -- 3DES - slow and of questionable security
214 "!aNULL", -- Ciphers that does not authenticate the connection 214 "!aNULL", -- Ciphers that does not authenticate the connection
215 }; 215 };
216 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") and { "no_ee_namechecks" }; 216 dane = tls.features.capabilities.dane and configmanager.get("*", "use_dane") ~= false and { "no_ee_namechecks" };
217 } 217 }
218 218
219 -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1 219 -- https://datatracker.ietf.org/doc/html/rfc7919#appendix-A.1
220 local ffdhe2048 = [[ 220 local ffdhe2048 = [[
221 -----BEGIN DH PARAMETERS----- 221 -----BEGIN DH PARAMETERS-----
382 global_ssl_config = configmanager.get("*", "ssl"); 382 global_ssl_config = configmanager.get("*", "ssl");
383 global_certificates = configmanager.get("*", "certificates") or "certs"; 383 global_certificates = configmanager.get("*", "certificates") or "certs";
384 if tls.features.options.no_compression then 384 if tls.features.options.no_compression then
385 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true; 385 core_defaults.options.no_compression = configmanager.get("*", "ssl_compression") ~= true;
386 end 386 end
387 if not configmanager.get("*", "use_dane") then 387 if configmanager.get("*", "use_dane") == false then
388 core_defaults.dane = false; 388 core_defaults.dane = false;
389 elseif tls.features.capabilities.dane then 389 elseif tls.features.capabilities.dane then
390 core_defaults.dane = { "no_ee_namechecks" }; 390 core_defaults.dane = { "no_ee_namechecks" };
391 else 391 else
392 core_defaults.dane = true; 392 core_defaults.dane = true;