mirror of
https://github.com/coredns/coredns.git
synced 2026-07-15 20:20:10 -04:00
fix(tls): use Go TLS defaults (#8227)
Remove fixed TLS 1.2 cipher suite list and maximum TLS version so crypto/tls can use its maintained defaults. Keep TLS 1.2 as the minimum supported version. Document the shared TLS default behavior for plugins that expose TLS configuration and add coverage to ensure CoreDNS leaves Go-managed TLS fields unset. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
This commit is contained in:
@@ -50,6 +50,9 @@ grpc FROM TO... {
|
||||
* `tls` **CERT** **KEY** **CA** - client authentication is used with the specified cert/key pair.
|
||||
The server certificate is verified using the specified CA file
|
||||
|
||||
CoreDNS sets the minimum TLS version to TLS 1.2. The maximum TLS version, TLS 1.2 cipher suites, and
|
||||
key exchange mechanisms use the Go `crypto/tls` defaults.
|
||||
|
||||
* `tls_servername` **NAME** allows you to set a server name in the TLS configuration; for instance 9.9.9.9
|
||||
needs this to be set to `dns.quad9.net`. Multiple upstreams are still allowed in this scenario,
|
||||
but they have to use the same `tls_servername`. E.g. mixing 9.9.9.9 (QuadDNS) with 1.1.1.1
|
||||
@@ -158,4 +161,4 @@ example.org {
|
||||
## Bugs
|
||||
|
||||
The TLS config is global for the whole grpc proxy if you need a different `tls_servername` for
|
||||
different upstreams you're out of luck.
|
||||
different upstreams you're out of luck.
|
||||
|
||||
Reference in New Issue
Block a user