Hi Remi
On 28. 11. 19 10:06, Remi Gacogne wrote:
Hi Aleš,
On 11/28/19 9:51 AM, Aleš Rygl wrote:
I would like to to disable TLS versions in DoT/DoH lower than 1.3 from
security reasons. I am trying to use:
addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
{ minTLSVersion='tls1.3', provider='OpenSSL' })
Would you mind trying with provider='openssl' (lowercase)? We do
case-sensitive comparison (we probably shouldn't), meaning that
'OpenSSL' is not recognized and you end up with the GnuTLS provider,
which unfortunately doesn't support 'minTLSVersion' at the moment.
Based on the feedback we are getting from various users, the OpenSSL
backend is also much faster than the GnuTLS one, and we will make it the
default in 1.5.0 [1].
[1]: https://github.com/PowerDNS/pdns/pull/8380
Thanks, I have just tried it, it works both for DoT/DoH!
addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
{ minTLSVersion='tls1.3', provider='openssl' })
addDOHLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
'/', { minTLSVersion='tls1.3', provider='openssl' })
Script result:
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 not offered
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
Thanks again.
Ales
_______________________________________________
dnsdist mailing list
[email protected]
https://mailman.powerdns.com/mailman/listinfo/dnsdist
