On Tue, Jul 14, 2026 at 01:51:05PM -0400, [email protected] wrote:
Looking back at your configuration and at the unbound.conf documentation, https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html I don't see "tls-version:" as a valid option (maybe an alias for tls-protocols?). The valus for tls-protocols: should be quoted, ex: "TLSv1.3. You can also use "unbound-control get_option tls-protocols" to see current setting. In any case setting/changing this value requires fully restarting the service for the change to take effect. (for me, I'd just do a "rcctl reload unbound")
Yes, you're right I had to correct that. tls-version was a thing I got off the web I think. % doas unbound-control get_option tls-protocols TLSv1.3 so it looks like it's all set WRT unbound. % doas tshark -r tls-versions-test5.pcap -Y "tcp.port == 853 && tls.handshake.type==1 \ && tls.handshake.extensions_server_name" (nothing) web browsing (lynx) still has SNI though % doas tshark -r tls-versions-test5.pcap -Y "tcp.port == 443 && tls.handshake.type==1 \ && tls.handshake.extensions_server_name" 1290 56.042036 192.168.1.199 ? 104.16.124.96 TLSv1.2 210 Client Hello (SNI=www.cloudflare.com) 1950 66.882389 192.168.1.199 ? 104.16.124.96 TLSv1.2 210 Client Hello (SNI=www.cloudflare.com) Now it's a question of how to get everything else to be tls1.3 only :D --

