summaryrefslogtreecommitdiffstats
path: root/src/resolve/resolved-dnstls-gnutls.c
diff options
context:
space:
mode:
authorIwan Timmer <irtimmer@gmail.com>2019-02-18 20:41:46 +0100
committerIwan Timmer <iwan.timmer@northwave.nl>2019-06-19 13:10:44 +0200
commit4310bfc20b84127e19bed68701caa3820c844682 (patch)
treeebe8291982d7903be331b1ef1136ebd58aef08e7 /src/resolve/resolved-dnstls-gnutls.c
parentresolved: don't require check when importing resolved-dnstls.h (diff)
downloadsystemd-4310bfc20b84127e19bed68701caa3820c844682.tar.xz
systemd-4310bfc20b84127e19bed68701caa3820c844682.zip
resolved: add strict mode for DNS-over-TLS
Add strict mode for DNS-over-TLS, which will require TLS support from the server. Closes #10755
Diffstat (limited to 'src/resolve/resolved-dnstls-gnutls.c')
-rw-r--r--src/resolve/resolved-dnstls-gnutls.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/src/resolve/resolved-dnstls-gnutls.c b/src/resolve/resolved-dnstls-gnutls.c
index d824d6ca5a..6eef6117a3 100644
--- a/src/resolve/resolved-dnstls-gnutls.c
+++ b/src/resolve/resolved-dnstls-gnutls.c
@@ -54,6 +54,9 @@ int dnstls_stream_connect_tls(DnsStream *stream, DnsServer *server) {
server->dnstls_data.session_data.size = 0;
}
+ if (server->manager->dns_over_tls_mode == DNS_OVER_TLS_YES)
+ gnutls_session_set_verify_cert(gs, NULL, 0);
+
gnutls_handshake_set_timeout(gs, GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
gnutls_transport_set_ptr2(gs, (gnutls_transport_ptr_t) (long) stream->fd, stream);
@@ -202,6 +205,10 @@ int dnstls_manager_init(Manager *manager) {
if (r < 0)
return -ENOMEM;
+ r = gnutls_certificate_set_x509_system_trust(manager->dnstls_data.cert_cred);
+ if (r < 0)
+ log_warning("Failed to load system trust store: %s", gnutls_strerror(r));
+
return 0;
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-19 13:45:08 +0100