On Tue, Jul 14, 2026 at 01:51:05PM -0400, [email protected] wrote:

Looking back at your configuration and at the unbound.conf documentation,
https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html
I don't see "tls-version:" as a valid option (maybe an alias for 
tls-protocols?).
The valus for tls-protocols: should be quoted, ex:  "TLSv1.3.
You can also use "unbound-control get_option tls-protocols" to see current 
setting.
In any case setting/changing this value requires fully restarting the service
for the change to take effect.  (for me, I'd just do a "rcctl reload unbound")


Yes, you're right I had to correct that. tls-version was a thing I got off
the web I think.

% doas unbound-control get_option tls-protocols
TLSv1.3

so it looks like it's all set WRT unbound.

% doas tshark -r tls-versions-test5.pcap -Y "tcp.port == 853 && 
tls.handshake.type==1 \
&& tls.handshake.extensions_server_name"

(nothing)

web browsing (lynx) still has SNI though

% doas tshark -r tls-versions-test5.pcap -Y "tcp.port == 443 && 
tls.handshake.type==1 \
&& tls.handshake.extensions_server_name"
1290  56.042036 192.168.1.199 ? 104.16.124.96 TLSv1.2 210 Client Hello 
(SNI=www.cloudflare.com)
1950  66.882389 192.168.1.199 ? 104.16.124.96 TLSv1.2 210 Client Hello 
(SNI=www.cloudflare.com)

Now it's a question of how to get everything else to be tls1.3 only :D
--

Reply via email to