[dnsdist] DoT/DoH - how to disable TLS < 1.3
Aleš Rygl
ales at rygl.net
Thu Nov 28 08:51:04 UTC 2019
Hello,
I would like to to disable TLS versions in DoT/DoH lower than 1.3 from
security reasons. I am trying to use:
addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
{ minTLSVersion='tls1.3', provider='OpenSSL' })
It seems that it does not work: when testing with testssl.sh ( 3.0rc5
from https://testssl.sh/dev/) I can see that versions 1, 1.1 and 1.2 are
still offered.
###########################################################
testssl.sh 3.0rc5 from https://testssl.sh/dev/
This program is free software. Distribution and
modification under GPLv2 permitted.
USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
Please file bugs @ https://testssl.sh/bugs/
###########################################################
Using "OpenSSL 1.0.2-chacha (1.0.2k-dev)" [~179 ciphers]
on rzt-proxy:./bin/openssl.Linux.x86_64
(built: "Jan 18 17:12:17 2019", platform: "linux-x86_64")
Start 2019-11-28 09:41:31 -->> 62.141.x.x:853 (dot.xxxxx.cz) <<--
rDNS (62.141.x.x): dot.xxxxx.cz.
Service detected: Couldn't determine what's running on port 853,
assuming no HTTP service => skipping all HTTP checks
Testing protocols via sockets except NPN+ALPN
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 offered
TLS 1.1 offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
I am not sure about the syntax of options { minTLSVersion='tls1.3',
provider='OpenSSL' }, it seems to be ignored as it accepts anything...
Versions: Debian 10.2, dnsdist 1.4.0-1pdns.buster, openssl
1.1.1d-0+deb10u2.
Thanks
Ales Rygl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20191128/ba59b323/attachment.htm>
More information about the dnsdist
mailing list