On Thu, Nov 28, 2019 at 09:51:04AM +0100,
Aleš Rygl <[email protected]> wrote
a message of 160 lines which said:
> I would like to to disable TLS versions in DoT/DoH lower than 1.3 from
> security reasons. I am trying to use:
>
> addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem', {
> minTLSVersion='tls1.3', provider='OpenSSL' })
For DoH, I use:
addDOHLocal("[::]:443", "/etc/dnsdist/server-doh.pem",
"/etc/dnsdist/server-doh.key", "/", {minTLSVersion="tls1.2", cipher="HIGH"})
And it seems to work (no TLS 1.1):
% ./testssl.sh doh.bortzmeyer.fr
...
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 h2 (offered)
For DoT, I use GnuTLS:
addTLSLocal("[::]:853", "/etc/dnsdist/server-dot.pem",
"/etc/dnsdist/server-dot.key", {minTLSVersion="tls1.2", provider="GnuTLS",
ciphers="PFS:-VERS-TLS1.1:-VERS-TLS1.0"})
And it works as well:
% ./testssl.sh dot.bortzmeyer.fr:853
...
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
Never tried forcing TLS >= 1.3.
_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
