[dnsdist] DoT/DoH - how to disable TLS < 1.3

Remi Gacogne remi.gacogne at powerdns.com
Thu Nov 28 09:06:54 UTC 2019

Hi Aleš,

On 11/28/19 9:51 AM, Aleš Rygl wrote:
> I would like to to disable TLS versions in DoT/DoH lower than 1.3 from
> security reasons. I am trying to use:
> addTLSLocal('', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
> { minTLSVersion='tls1.3', provider='OpenSSL' })

Would you mind trying with provider='openssl' (lowercase)? We do
case-sensitive comparison (we probably shouldn't), meaning that
'OpenSSL' is not recognized and you end up with the GnuTLS provider,
which unfortunately doesn't support 'minTLSVersion' at the moment.

Based on the feedback we are getting from various users, the OpenSSL
backend is also much faster than the GnuTLS one, and we will make it the
default in 1.5.0 [1].

[1]: https://github.com/PowerDNS/pdns/pull/8380

Best regards,
Remi Gacogne
PowerDNS.COM BV - https://www.powerdns.com/

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/dnsdist/attachments/20191128/ad4f3e1a/attachment.sig>

More information about the dnsdist mailing list