Am 06.06.19 um 11:29 schrieb Wouter Wijngaards:
NSD 4.2.0rc1 release candidate is available:
- Patch to add support for tls service on a specified tls port,
from Sara Dickinson (Sinodun).
cool, the patch works here since March
- TLS OCSP stapling support, enabled with tls-service-ocsp: filename,
patch from Andreas Schulze.
OCSP-Data are valid for a much shorter time then certificates.
For this reason I renew OCSP-data daily.
Currently this mean, I restart nsd once a day.
At the long tail it would be helpful if updated certificates,
private keys and ocsp-data would only require a reload.
- Disable TLS1.0, TLS1.1 and weak ciphers, enable
CIPHER_SERVER_PREFERENCE, patch from Andreas Schulze.
there is TLS setup code in
- server.c ~lines 1660...1270, server_tls_ctx_create()
- remote.c ~lines 250...300, remote_setup_ctx
the code for the same problem exists twice but only in server.c the
Is this not implemented in remote.c to not break existing remote
Also I've a problem with the cipher selection
( server.c, line 1709 ) I suggested months ago:
It's redundant, prefer CHACHA20-POLY1305 over AESGCM and is not as
readable as it could be.
-> new Suggestion: SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")
nsd-users mailing list