Hi Aleš,
On 11/28/19 9:51 AM, Aleš Rygl wrote:
> I would like to to disable TLS versions in DoT/DoH lower than 1.3 from
> security reasons. I am trying to use:
>
> addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
> { minTLSVersion='tls1.3', provider='OpenSSL' })
Would you mind trying with provider='openssl' (lowercase)? We do
case-sensitive comparison (we probably shouldn't), meaning that
'OpenSSL' is not recognized and you end up with the GnuTLS provider,
which unfortunately doesn't support 'minTLSVersion' at the moment.
Based on the feedback we are getting from various users, the OpenSSL
backend is also much faster than the GnuTLS one, and we will make it the
default in 1.5.0 [1].
[1]: https://github.com/PowerDNS/pdns/pull/8380
Best regards,
--
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dnsdist mailing list [email protected] https://mailman.powerdns.com/mailman/listinfo/dnsdist
