Am 06.06.19 um 11:29 schrieb Wouter Wijngaards:
NSD 4.2.0rc1 release candidate is available:

- Patch to add support for tls service on a specified tls port,
  from Sara Dickinson (Sinodun).
cool, the patch works here since March

- TLS OCSP stapling support, enabled with tls-service-ocsp: filename,
  patch from Andreas Schulze.
OCSP-Data are valid for a much shorter time then certificates.
For this reason I renew OCSP-data daily.

Currently this mean, I restart nsd once a day.

At the long tail it would be helpful if updated certificates,
private keys and ocsp-data would only require a reload.

- Disable TLS1.0, TLS1.1 and weak ciphers, enable
  CIPHER_SERVER_PREFERENCE, patch from Andreas Schulze.
there is TLS setup code in
  - server.c ~lines 1660...1270, server_tls_ctx_create()
  - remote.c ~lines  250...300, remote_setup_ctx

the code for the same problem exists twice but only in server.c the "hardening" happen. Is this not implemented in remote.c to not break existing remote control installations?

Also I've a problem with the cipher selection "CHACHA20+ECDH:AESGCM+ECDH:!SHA:!AESCCM"
( server.c, line 1709 ) I suggested months ago:

It's redundant, prefer CHACHA20-POLY1305 over AESGCM and is not as readable as it could be.
-> new Suggestion: SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")


nsd-users mailing list

Reply via email to