[dnsdist] DoT/DoH - how to disable TLS < 1.3
Stephane Bortzmeyer
bortzmeyer at nic.fr
Thu Nov 28 09:01:05 UTC 2019
On Thu, Nov 28, 2019 at 09:51:04AM +0100,
Aleš Rygl <ales at rygl.net> wrote
a message of 160 lines which said:
> I would like to to disable TLS versions in DoT/DoH lower than 1.3 from
> security reasons. I am trying to use:
>
> addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem', {
> minTLSVersion='tls1.3', provider='OpenSSL' })
For DoH, I use:
addDOHLocal("[::]:443", "/etc/dnsdist/server-doh.pem", "/etc/dnsdist/server-doh.key", "/", {minTLSVersion="tls1.2", cipher="HIGH"})
And it seems to work (no TLS 1.1):
% ./testssl.sh doh.bortzmeyer.fr
...
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 h2 (offered)
For DoT, I use GnuTLS:
addTLSLocal("[::]:853", "/etc/dnsdist/server-dot.pem", "/etc/dnsdist/server-dot.key", {minTLSVersion="tls1.2", provider="GnuTLS", ciphers="PFS:-VERS-TLS1.1:-VERS-TLS1.0"})
And it works as well:
% ./testssl.sh dot.bortzmeyer.fr:853
...
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 offered (OK)
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
Never tried forcing TLS >= 1.3.
More information about the dnsdist
mailing list