On Mon, 2023-09-25 at 18:15 +0200, Rudolf Leitgeb wrote: > Either this, or the TLS 1.3 code was always buggy, but now > it was actually used per default. Yes, setting up nginx with enabled tlsv1.3 on 7.2 and earlier is also on the todo. Similarly, disabling tlsv1.3 and forcing tlsv1.3 on earlier versions.
Still, the earlier versions i had been running seemed to support tlsv1.3, at least according to s_client. But the use as default might change things. > Question: is there a similar > commit in your DNS server? Do you use this DNS server with > anything like TLS? pdns itself is not leaking, the memory is hogged by mariadb. But (given everything runs via unix sockets) i am not using TLS in that stack at all. This is was initially nudged me a bit towards other functions that might be used from libressl (sha* or something used in auth maybe?). But this will need some more test-setups to run for some time; I will be able to setup automation for that in the coming weeks. With best regards, Tobias > On Sun, 2023-09-24 at 21:31 +0200, Tobias Fiebig wrote: > > > > > But yes, getting a specific commit there will be helpful. > > Sadly it turns out that it is the commit i feared it would be: > > > > > commit 7b24b93d67daa9c16d665129fd5d3e7dbc583e4f > > > Author: Maxim Dounin <mdou...@mdounin.ru> > > > Date: Fri Mar 24 02:57:43 2023 +0300 > > > > > > SSL: enabled TLSv1.3 by default. > > > > Feared, because it basically puts me back to start w.r.t. what the > > root > > cause might be; Could be anything that happened to TLSv1.3 code in > > either LibreSSL or Nginx. > -- Dr.-Ing. Tobias Fiebig T +31 616 80 98 99 M tob...@fiebig.nl