Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130

Configurable TLS version

ChangeLog

@@ -1,4 +1,15 @@
 * 2018-0?-??: Version 1.4.3
+  * Enhancement getdnsapi/stubby#56 & getdnsapi/stubby#130:
+    Configurable minimum and maximum TLS versions with
+    getdns_context_set_tls_min_version() and
+    getdns_context_set_tls_max_version() functions and
+    tls_min_version and tls_max_version configuration parameters
+    for upstreams.
+  * Configurable TLS1.3 ciphersuites with the
+    getdns_context_set_tls_ciphersuites() function and
+    tls_ciphersuites config parameter for upstreams.
+  * Bugfix in upstream string configurations: tls_cipher_list and
+    tls_curve_list
   * Bugfix finding signer for validating NSEC and NSEC3s, which
     caused trouble with the partly tracing DNSSEC from the root
     up, introduced in 1.4.2.  Thanks Philip Homburg

configure.ac

@@ -417,8 +417,8 @@ fi
 AC_CHECK_HEADERS([openssl/conf.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/engine.h],,, [AC_INCLUDES_DEFAULT])
 AC_CHECK_HEADERS([openssl/bn.h openssl/rsa.h openssl/dsa.h],,, [AC_INCLUDES_DEFAULT])
-AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter])
+AC_CHECK_FUNCS([OPENSSL_config EVP_md5 EVP_sha1 EVP_sha224 EVP_sha256 EVP_sha384 EVP_sha512 FIPS_mode ENGINE_load_cryptodev EVP_PKEY_keygen ECDSA_SIG_get0 EVP_MD_CTX_new EVP_PKEY_base_id HMAC_CTX_new HMAC_CTX_free TLS_client_method DSA_SIG_set0 EVP_dss1 EVP_DigestVerify SSL_CTX_set_min_proto_version OpenSSL_version_num OpenSSL_version SSL_CTX_dane_enable SSL_dane_enable SSL_dane_tlsa_add X509_check_host X509_get_notAfter X509_get0_notAfter SSL_CTX_set_ciphersuites SSL_set_ciphersuites])
-AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_CTX_set_ciphersuites,SSL_set_ciphersuites], [], [], [
+AC_CHECK_DECLS([SSL_COMP_get_compression_methods,sk_SSL_COMP_pop_free,SSL_CTX_set_ecdh_auto,SSL_CTX_set1_curves_list,SSL_set1_curves_list,SSL_set_min_proto_version,SSL_get_min_proto_version], [], [], [
 AC_INCLUDES_DEFAULT
 #ifdef HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>

src/const-info.c

@@ -94,6 +94,8 @@ static struct const_info consts_info[] = {
 	{     633, "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST_TEXT },
 	{     634, "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT },
 	{     635, "GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES", GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT },
+	{     636, "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT },
+	{     637, "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT },
 	{     699, "GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE", GETDNS_CONTEXT_CODE_MAX_BACKOFF_VALUE_TEXT },
 	{     700, "GETDNS_CALLBACK_COMPLETE", GETDNS_CALLBACK_COMPLETE_TEXT },
 	{     701, "GETDNS_CALLBACK_CANCEL", GETDNS_CALLBACK_CANCEL_TEXT },
@@ -116,6 +118,11 @@ static struct const_info consts_info[] = {
 	{    1202, "GETDNS_TRANSPORT_TLS", GETDNS_TRANSPORT_TLS_TEXT },
 	{    1300, "GETDNS_AUTHENTICATION_NONE", GETDNS_AUTHENTICATION_NONE_TEXT },
 	{    1301, "GETDNS_AUTHENTICATION_REQUIRED", GETDNS_AUTHENTICATION_REQUIRED_TEXT },
+	{    1400, "GETDNS_SSL3", GETDNS_SSL3_TEXT },
+	{    1401, "GETDNS_TLS1", GETDNS_TLS1_TEXT },
+	{    1402, "GETDNS_TLS1_1", GETDNS_TLS1_1_TEXT },
+	{    1403, "GETDNS_TLS1_2", GETDNS_TLS1_2_TEXT },
+	{    1404, "GETDNS_TLS1_3", GETDNS_TLS1_3_TEXT },
 	{    4096, "GETDNS_LOG_UPSTREAM_STATS", GETDNS_LOG_UPSTREAM_STATS_TEXT },
 };
 
@@ -195,6 +202,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_CONTEXT_CODE_TLS_CIPHER_LIST", 633 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CONNECTION_RETRIES", 624 },
 	{ "GETDNS_CONTEXT_CODE_TLS_CURVES_LIST", 634 },
+	{ "GETDNS_CONTEXT_CODE_TLS_MAX_VERSION", 637 },
+	{ "GETDNS_CONTEXT_CODE_TLS_MIN_VERSION", 636 },
 	{ "GETDNS_CONTEXT_CODE_TLS_QUERY_PADDING_BLOCKSIZE", 620 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_URL", 625 },
 	{ "GETDNS_CONTEXT_CODE_TRUST_ANCHORS_VERIFY_CA", 626 },
@@ -281,6 +290,7 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRCLASS_IN", 1 },
 	{ "GETDNS_RRCLASS_NONE", 254 },
 	{ "GETDNS_RRTYPE_A", 1 },
+	{ "GETDNS_RRTYPE_A6", 38 },
 	{ "GETDNS_RRTYPE_AAAA", 28 },
 	{ "GETDNS_RRTYPE_AFSDB", 18 },
 	{ "GETDNS_RRTYPE_ANY", 255 },
@@ -301,6 +311,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_DOA", 259 },
 	{ "GETDNS_RRTYPE_DS", 43 },
 	{ "GETDNS_RRTYPE_EID", 31 },
+	{ "GETDNS_RRTYPE_EUI48", 108 },
+	{ "GETDNS_RRTYPE_EUI64", 109 },
 	{ "GETDNS_RRTYPE_GID", 102 },
 	{ "GETDNS_RRTYPE_GPOS", 27 },
 	{ "GETDNS_RRTYPE_HINFO", 13 },
@@ -310,6 +322,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_IXFR", 251 },
 	{ "GETDNS_RRTYPE_KEY", 25 },
 	{ "GETDNS_RRTYPE_KX", 36 },
+	{ "GETDNS_RRTYPE_L32", 105 },
+	{ "GETDNS_RRTYPE_L64", 106 },
 	{ "GETDNS_RRTYPE_LOC", 29 },
 	{ "GETDNS_RRTYPE_LP", 107 },
 	{ "GETDNS_RRTYPE_MAILA", 254 },
@@ -329,6 +343,8 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_NSAP", 22 },
 	{ "GETDNS_RRTYPE_NSAP_PTR", 23 },
 	{ "GETDNS_RRTYPE_NSEC", 47 },
+	{ "GETDNS_RRTYPE_NSEC3", 50 },
+	{ "GETDNS_RRTYPE_NSEC3PARAM", 51 },
 	{ "GETDNS_RRTYPE_NULL", 10 },
 	{ "GETDNS_RRTYPE_NXT", 30 },
 	{ "GETDNS_RRTYPE_OPENPGPKEY", 61 },
@@ -357,6 +373,12 @@ static struct const_name_info consts_name_info[] = {
 	{ "GETDNS_RRTYPE_UNSPEC", 103 },
 	{ "GETDNS_RRTYPE_URI", 256 },
 	{ "GETDNS_RRTYPE_WKS", 11 },
+	{ "GETDNS_RRTYPE_X25", 19 },
+	{ "GETDNS_SSL3", 1400 },
+	{ "GETDNS_TLS1", 1401 },
+	{ "GETDNS_TLS1_1", 1402 },
+	{ "GETDNS_TLS1_2", 1403 },
+	{ "GETDNS_TLS1_3", 1404 },
 	{ "GETDNS_TRANSPORT_TCP", 1201 },
 	{ "GETDNS_TRANSPORT_TCP_ONLY", 542 },
 	{ "GETDNS_TRANSPORT_TCP_ONLY_KEEP_CONNECTIONS_OPEN", 543 },

src/context.c

@@ -1079,6 +1079,8 @@ upstream_init(getdns_upstream *upstream,
 	upstream->tls_cipher_list = NULL;
 	upstream->tls_ciphersuites = NULL;
 	upstream->tls_curves_list = NULL;
+	upstream->tls_min_version = (getdns_tls_version_t)0;
+	upstream->tls_max_version = (getdns_tls_version_t)0;
 	upstream->transport = GETDNS_TRANSPORT_TCP;
 	upstream->tls_hs_state = GETDNS_HS_NONE;
 	upstream->tls_auth_name[0] = '\0';
@@ -1597,6 +1599,8 @@ getdns_context_create_with_extended_memory_functions(
 	result->tls_cipher_list = NULL;
 	result->tls_ciphersuites = NULL;
 	result->tls_curves_list = NULL;
+	result->tls_min_version = GETDNS_TLS1_2;
+	result->tls_max_version = (getdns_tls_version_t)0;
 
 	(void) memset(&result->root_ksk, 0, sizeof(result->root_ksk));
 
@@ -3090,6 +3094,7 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				getdns_bindata *tls_cipher_list = NULL;
 				getdns_bindata *tls_ciphersuites = NULL;
 				getdns_bindata *tls_curves_list = NULL;
+				uint32_t        tls_version;
 
 				if ((r = getdns_dict_get_bindata(
 				    dict, "tls_auth_name", &tls_auth_name)) == GETDNS_RETURN_GOOD) {
@@ -3137,16 +3142,17 @@ getdns_context_set_upstream_recursive_servers(struct getdns_context *context,
 				(void) getdns_dict_get_bindata(
 				    dict, "tls_curves_list", &tls_curves_list);
 				if (tls_curves_list) {
-#if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
 					upstream->tls_curves_list = 
 					    _getdns_strdup2(&upstreams->mf
 					                   , tls_curves_list);
-#else
-					freeaddrinfo(ai);
-					goto not_implemented;
-#endif
 				} else
 					upstream->tls_curves_list = NULL;
+				if (!getdns_dict_get_int(
+				    dict, "tls_min_version", &tls_version))
+					upstream->tls_min_version = tls_version;
+				if (!getdns_dict_get_int(
+				    dict, "tls_max_version", &tls_version))
+					upstream->tls_max_version = tls_version;
 			}
 			if ((upstream->tsig_alg = tsig_alg)) {
 				if (tsig_name) {
@@ -3715,9 +3721,17 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			if(context->tls_ctx == NULL)
 				return GETDNS_RETURN_BAD_CONTEXT;
 
-#  ifdef HAVE_SSL_CTX_SET_MIN_PROTO_VERSION
+#  if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
-			if (!SSL_CTX_set_min_proto_version(
+			fprintf(stderr, "SSL_CTX_set_min_proto_version(%d)\n", context->tls_min_version);
-			    context->tls_ctx, TLS1_2_VERSION)) {
+			if (!SSL_CTX_set_min_proto_version(context->tls_ctx,
+			    _getdns_tls_version2openssl_version(context->tls_min_version))) {
+				SSL_CTX_free(context->tls_ctx);
+				context->tls_ctx = NULL;
+				return GETDNS_RETURN_BAD_CONTEXT;
+			}
+			if (context->tls_max_version
+			&& !SSL_CTX_set_max_proto_version(context->tls_ctx,
+			    _getdns_tls_version2openssl_version(context->tls_max_version))) {
 				SSL_CTX_free(context->tls_ctx);
 				context->tls_ctx = NULL;
 				return GETDNS_RETURN_BAD_CONTEXT;
@@ -3729,7 +3743,7 @@ _getdns_context_prepare_for_resolution(getdns_context *context)
 			    context->tls_cipher_list ? context->tls_cipher_list
 			                             : _getdns_default_tls_cipher_list))
 				return GETDNS_RETURN_BAD_CONTEXT;
-#  if defined(HAVE_DECL_SSL_CTX_SET_CIPHERSUITES) && HAVE_DECL_SSL_CTX_SET_CIPHERSUITES
+#  ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
 			if (!SSL_CTX_set_ciphersuites(context->tls_ctx,
 			    context->tls_ciphersuites ? context->tls_ciphersuites
 			                             : _getdns_default_tls_ciphersuites))
@@ -4083,6 +4097,12 @@ _get_context_settings(getdns_context* context)
 		(void) getdns_dict_util_set_string(result, "tls_ciphersuites", str_value);
 	if (!getdns_context_get_tls_curves_list(context, &str_value) && str_value)
 		(void) getdns_dict_util_set_string(result, "tls_curves_list", str_value);
+	if (context->tls_min_version)
+		(void) getdns_dict_set_int( result, "tls_min_version"
+		                          , context->tls_min_version);
+	if (context->tls_max_version)
+		(void) getdns_dict_set_int( result, "tls_max_version"
+		                          , context->tls_max_version);
 
 	/* Default settings for extensions */
 	(void)getdns_dict_set_int(
@@ -4701,6 +4721,16 @@ getdns_context_get_upstream_recursive_servers(getdns_context *context,
 					    d, "tls_curves_list",
 					    upstream->tls_curves_list);
 				}
+				if (upstream->tls_min_version) {
+					(void) getdns_dict_set_int(
+					    d, "tls_min_version",
+					    upstream->tls_min_version);
+				}
+				if (upstream->tls_max_version) {
+					(void) getdns_dict_set_int(
+					    d, "tls_max_version",
+					    upstream->tls_max_version);
+				}
 			}
 		}
 		if (!r)
@@ -4923,6 +4953,8 @@ _getdns_context_config_setting(getdns_context *context,
 	CONTEXT_SETTING_STRING(tls_cipher_list)
 	CONTEXT_SETTING_STRING(tls_ciphersuites)
 	CONTEXT_SETTING_STRING(tls_curves_list)
+	CONTEXT_SETTING_INT(tls_min_version)
+	CONTEXT_SETTING_INT(tls_max_version)
 
 	/**************************************/
 	/****                              ****/
@@ -5580,4 +5612,46 @@ getdns_context_get_tls_curves_list(
 	return GETDNS_RETURN_GOOD;
 }
 
+getdns_return_t
+getdns_context_set_tls_min_version(
+    getdns_context *context, getdns_tls_version_t tls_min_version)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	context->tls_min_version = tls_min_version;
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_MIN_VERSION);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_tls_min_version(
+    getdns_context *context, getdns_tls_version_t *tls_min_version)
+{
+	if (!context || !tls_min_version)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	*tls_min_version = context->tls_min_version;
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_set_tls_max_version(
+    getdns_context *context, getdns_tls_version_t tls_max_version)
+{
+	if (!context)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	context->tls_max_version = tls_max_version;
+	dispatch_updated(context, GETDNS_CONTEXT_CODE_TLS_MAX_VERSION);
+	return GETDNS_RETURN_GOOD;
+}
+
+getdns_return_t
+getdns_context_get_tls_max_version(
+    getdns_context *context, getdns_tls_version_t *tls_max_version)
+{
+	if (!context || !tls_max_version)
+		return GETDNS_RETURN_INVALID_PARAMETER;
+	*tls_max_version = context->tls_max_version;
+	return GETDNS_RETURN_GOOD;
+}
+
 /* context.c */

src/context.h

@@ -200,16 +200,21 @@ typedef struct getdns_upstream {
 	getdns_network_req      *write_queue_last;
 	_getdns_rbtree_t         netreq_by_query_id;
 
-    /* TLS specific connection handling*/
+	/* TLS specific connection handling */
 	SSL*                     tls_obj;
 	SSL_SESSION*             tls_session;
 	getdns_tls_hs_state_t    tls_hs_state;
 	getdns_auth_state_t      tls_auth_state;
 	unsigned                 tls_fallback_ok : 1;
+
+	/* TLS settings */
 	char                    *tls_cipher_list;
 	char                    *tls_ciphersuites;
 	char                    *tls_curves_list;
-	/* Auth credentials*/
+	getdns_tls_version_t     tls_min_version;
+	getdns_tls_version_t     tls_max_version;
+
+	/* Auth credentials */
 	char                     tls_auth_name[256];
 	sha256_pin_t            *tls_pubkey_pinset;
 
@@ -353,6 +358,8 @@ struct getdns_context {
 	char                 *tls_cipher_list;
 	char                 *tls_ciphersuites;
 	char                 *tls_curves_list;
+	getdns_tls_version_t  tls_min_version;
+	getdns_tls_version_t  tls_max_version;
 
 	getdns_upstreams     *upstreams;
 	uint16_t             limit_outstanding_queries;
@@ -360,7 +367,7 @@ struct getdns_context {
 	getdns_tls_authentication_t  tls_auth;  /* What user requested for TLS*/
 	getdns_tls_authentication_t  tls_auth_min; /* Derived minimum auth allowed*/
 	uint8_t              round_robin_upstreams;
-    uint16_t             max_backoff_value;
+	uint16_t             max_backoff_value;
 	uint16_t             tls_backoff_time;
 	uint16_t             tls_connection_retries;
 

src/dict.c

@@ -1078,6 +1078,8 @@ getdns_pp_dict(gldns_buffer * buf, size_t indent,
 			     strcmp(item->node.key, "transport") == 0 ||
 			     strcmp(item->node.key, "resolution_type") == 0 ||
 			     strcmp(item->node.key, "tls_authentication") == 0 ||
+			     strcmp(item->node.key, "tls_min_version") == 0 ||
+			     strcmp(item->node.key, "tls_max_version") == 0 ||
 
 			     /* extensions */
 			     strcmp(item->node.key, "add_warning_for_bad_dns") == 0 ||

src/getdns/getdns_extra.h.in

@@ -104,6 +104,11 @@ extern "C" {
 #define GETDNS_CONTEXT_CODE_TLS_CURVES_LIST_TEXT "Change related to getdns_context_set_tls_curves_list"
 #define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES 635
 #define GETDNS_CONTEXT_CODE_TLS_CIPHERSUITES_TEXT "Change related to getdns_context_set_tls_ciphersuites"
+#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION 636
+#define GETDNS_CONTEXT_CODE_TLS_MIN_VERSION_TEXT "Change related to getdns_context_set_tls_min_version"
+#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION 637
+#define GETDNS_CONTEXT_CODE_TLS_MAX_VERSION_TEXT "Change related to getdns_context_set_tls_max_version"
+
 
 
 /** @}
@@ -783,6 +788,80 @@ getdns_return_t
 getdns_context_set_tls_curves_list(
     getdns_context *context, const char *curves_list);
 
+typedef enum getdns_tls_version_t {
+	GETDNS_SSL3 = 1400,
+	GETDNS_TLS1 = 1401,
+	GETDNS_TLS1_1 = 1402,
+	GETDNS_TLS1_2 = 1403,
+	GETDNS_TLS1_3 = 1404
+} getdns_tls_version_t;
+
+#define GETDNS_SSL3_TEXT   "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_TEXT   "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_1_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_2_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+#define GETDNS_TLS1_3_TEXT "See getdns_context_(set|get)_tls_(min|max)_version()"
+
+/**
+ * Configure context for minimum supported TLS version.
+ * @see getdns_context_set_tls_max_version
+ * @see getdns_context_get_tls_min_version
+ * @param context The context to configure
+ * @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_set_tls_min_version(
+    getdns_context *context, getdns_tls_version_t min_version);
+
+/**
+ * Get configured minimum supported TLS version.
+ * @see getdns_context_get_tls_max_version
+ * @see getdns_context_set_tls_min_version
+ * @param context The context to configure
+ * @param min_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_get_tls_min_version(
+    getdns_context *context, getdns_tls_version_t *min_version);
+
+/**
+ * Configure context for maximum supported TLS version.
+ * @see getdns_context_set_tls_min_version
+ * @see getdns_context_get_tls_max_version
+ * @param context The context to configure
+ * @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_set_tls_max_version(
+    getdns_context *context, getdns_tls_version_t max_version);
+
+/**
+ * Get configured maximum supported TLS version.
+ * @see getdns_context_get_tls_min_version
+ * @see getdns_context_set_tls_max_version
+ * @param context The context to configure
+ * @param max_version is one of GETDNS_SSL3, GETDNS_TLS1, GETDNS_TLS1_1,
+ *                    GETDNS_TLS1_2, GETDNS_TLS1_3
+ * @return GETDNS_RETURN_GOOD on success
+ * @return GETDNS_RETURN_INVALID_PARAMETER if context is null or value has an
+ *         invalid value.
+ */
+getdns_return_t
+getdns_context_get_tls_max_version(
+    getdns_context *context, getdns_tls_version_t *max_version);
+
 /**
  * Get the current resolution type setting from this context.
  * @see getdns_context_set_resolution_type

src/libgetdns.symbols

@@ -1,6 +1,7 @@
 getdns_address
 getdns_address_sync
 getdns_cancel_callback
+getdns_context_
 getdns_context_config
 getdns_context_create
 getdns_context_create_with_extended_memory_functions
@@ -36,8 +37,11 @@ getdns_context_get_tls_backoff_time
 getdns_context_get_tls_ca_file
 getdns_context_get_tls_ca_path
 getdns_context_get_tls_cipher_list
+getdns_context_get_tls_ciphersuites
 getdns_context_get_tls_connection_retries
 getdns_context_get_tls_curves_list
+getdns_context_get_tls_max_version
+getdns_context_get_tls_min_version
 getdns_context_get_tls_query_padding_blocksize
 getdns_context_get_trust_anchors_url
 getdns_context_get_trust_anchors_verify_CA
@@ -80,8 +84,11 @@ getdns_context_set_tls_backoff_time
 getdns_context_set_tls_ca_file
 getdns_context_set_tls_ca_path
 getdns_context_set_tls_cipher_list
+getdns_context_set_tls_ciphersuites
 getdns_context_set_tls_connection_retries
 getdns_context_set_tls_curves_list
+getdns_context_set_tls_max_version
+getdns_context_set_tls_min_version
 getdns_context_set_tls_query_padding_blocksize
 getdns_context_set_trust_anchors_url
 getdns_context_set_trust_anchors_verify_CA

src/mk-const-info.c.sh

@@ -14,7 +14,7 @@ cat > const-info.c << END_OF_HEAD
 static struct const_info consts_info[] = {
 	{   -1, NULL, "/* <unknown getdns value> */" },
 END_OF_HEAD
-gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
+gawk '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%7d", $3); consts[key] = $1; }/^#define GETDNS_[A-Z0-9_]+[ 	]+[0-9]+/ && !/^#define GETDNS_RRTYPE/ && !/^#define GETDNS_RRCLASS/ && !/^#define GETDNS_OPCODE/  && !/^#define GETDNS_RCODE/ && !/_TEXT/{ key = sprintf("%7d", $3); consts[key] = $2; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%7d", $4); consts[key] = $2; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ "val", \""name"\", "name"_TEXT },"}}' getdns/getdns_extra.h.in getdns/getdns.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 
@@ -49,7 +49,7 @@ getdns_get_errorstr_by_id(uint16_t err)
 
 static struct const_name_info consts_name_info[] = {
 END_OF_TAIL
-gawk '/^[ 	]+GETDNS_[A-Z_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z_]+[ 	]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
+gawk '/^[ 	]+GETDNS_[A-Z0-9_]+[ 	]+=[ 	]+[0-9]+/{ key = sprintf("%d", $3); consts[$1] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+[0-9]+/ && !/_TEXT/{ key = sprintf("%d", $3); consts[$2] = key; }/^#define GETDNS_[A-Z0-9_]+[ 	]+\(\(getdns_(return|append_name)_t) [0-9]+ \)/{ key = sprintf("%d", $4); consts[$2] = key; }END{ n = asorti(consts, const_vals); for ( i = 1; i <= n; i++) { val = const_vals[i]; name = consts[val]; print "\t{ \""val"\", "name" },"}}' getdns/getdns.h.in getdns/getdns_extra.h.in const-info.h| sed 's/,,/,/g' >> const-info.c
 cat >> const-info.c << END_OF_TAIL
 };
 

src/stub.c

@@ -931,8 +931,50 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		return NULL;
 	}
 #if defined(HAVE_DECL_SSL_SET1_CURVES_LIST) && HAVE_DECL_SSL_SET1_CURVES_LIST
-	if (upstream->tls_curves_list)
+	if (upstream->tls_curves_list
-		(void) SSL_set1_curves_list(ssl, upstream->tls_curves_list);
+	&& !SSL_set1_curves_list(ssl, upstream->tls_curves_list)) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : Error configuring tls_curves_list"
+		    "\"%s\"\n", upstream->addr_str, upstream->tls_curves_list);
+	}
+#endif
+#ifdef HAVE_SSL_SET_CIPHERSUITES
+	if (upstream->tls_ciphersuites &&
+	   !SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
+		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+		    GETDNS_LOG_ERR, "%-40s : Error configuring tls_ciphersuites "
+		    "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
+	}
+#endif
+#ifdef defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+	if (upstream->tls_min_version && !SSL_set_min_proto_version(ssl,
+	    _getdns_tls_version2openssl_version(upstream->tls_min_version))) {
+		struct const_info *ci = _getdns_get_const_info(int value);
+		if (ci && *ci->name)
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+			    GETDNS_LOG_ERR, "%-40s : Error configuring "
+			    "tls_min_version \"%s\"\n", upstream->addr_str,
+			    ci->name);
+		else
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+			    GETDNS_LOG_ERR, "%-40s : Error configuring "
+			    "tls_min_version \"%d\"\n", upstream->addr_str,
+			    upstream->tls_min_version);
+	}
+	if (upstream->tls_max_version && !SSL_set_max_proto_version(ssl,
+	    _getdns_tls_version2openssl_version(upstream->tls_max_version))) {
+		struct const_info *ci = _getdns_get_const_info(int value);
+		if (ci && *ci->name)
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+			    GETDNS_LOG_ERR, "%-40s : Error configuring "
+			    "tls_max_version \"%s\"\n", upstream->addr_str,
+			    ci->name);
+		else
+			_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
+			    GETDNS_LOG_ERR, "%-40s : Error configuring "
+			    "tls_max_version \"%d\"\n", upstream->addr_str,
+			    upstream->tls_max_version);
+	}
 #endif
 	/* make sure we'll be able to find the context again when we need it */
 	if (_getdns_associate_upstream_with_SSL(ssl, upstream) != GETDNS_RETURN_GOOD) {
@@ -1016,14 +1058,6 @@ tls_create_object(getdns_dns_req *dnsreq, int fd, getdns_upstream *upstream)
 		DEBUG_STUB("%s %-35s: Using Strict TLS \n", STUB_DEBUG_SETUP_TLS, 
 		             __FUNC__);
 	}
-#if defined(HAVE_DECL_SSL_SET_CIPHERSUITES) && HAVE_DECL_SSL_SET_CIPHERSUITES
-	if (upstream->tls_ciphersuites &&
-	   !SSL_set_ciphersuites(ssl, upstream->tls_ciphersuites)) {
-		_getdns_upstream_log(upstream, GETDNS_LOG_UPSTREAM_STATS,
-		    GETDNS_LOG_ERR, "%-40s : Error configuring ciphersuites "
-		    "\"%s\"\n", upstream->addr_str, upstream->tls_ciphersuites);
-	}
-#endif
 #if defined(HAVE_SSL_DANE_ENABLE)
 	int osr;
 # if defined(STUB_DEBUG) && STUB_DEBUG

src/util-internal.h

@@ -218,5 +218,19 @@ INLINE uint64_t _getdns_ms_until_expiry2(uint64_t expires, uint64_t *now_ms)
 	return *now_ms >= expires ? 0 : expires - *now_ms;
 }
 
+# if defined(HAVE_DECL_SSL_SET_MIN_PROTO_VERSION) && HAVE_DECL_SSL_SET_MIN_PROTO_VERSION
+INLINE int _getdns_tls_version2openssl_version(getdns_tls_version_t v)
+{
+	switch (v) {
+	case GETDNS_SSL3  : return SSL3_VERSION;
+	case GETDNS_TLS1  : return TLS1_VERSION;
+	case GETDNS_TLS1_1: return TLS1_1_VERSION;
+	case GETDNS_TLS1_2: return TLS1_2_VERSION;
+	case GETDNS_TLS1_3: return TLS1_3_VERSION;
+	default           : return TLS_MAX_VERSION;
+	}
+}
+# endif
+
 #endif
 /* util-internal.h */