[dnsdist] DoT/DoH - how to disable TLS < 1.3
Aleš Rygl
ales at rygl.net
Thu Nov 28 13:51:20 UTC 2019
Hi Remi
On 28. 11. 19 10:06, Remi Gacogne wrote:
> Hi Aleš,
>
>
> On 11/28/19 9:51 AM, Aleš Rygl wrote:
>> I would like to to disable TLS versions in DoT/DoH lower than 1.3 from
>> security reasons. I am trying to use:
>>
>> addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
>> { minTLSVersion='tls1.3', provider='OpenSSL' })
> Would you mind trying with provider='openssl' (lowercase)? We do
> case-sensitive comparison (we probably shouldn't), meaning that
> 'OpenSSL' is not recognized and you end up with the GnuTLS provider,
> which unfortunately doesn't support 'minTLSVersion' at the moment.
>
> Based on the feedback we are getting from various users, the OpenSSL
> backend is also much faster than the GnuTLS one, and we will make it the
> default in 1.5.0 [1].
>
> [1]: https://github.com/PowerDNS/pdns/pull/8380
Thanks, I have just tried it, it works both for DoT/DoH!
addTLSLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
{ minTLSVersion='tls1.3', provider='openssl' })
addDOHLocal('0.0.0.0', '/etc/dnsdist/cert.pem', '/etc/dnsdist/key.pem',
'/', { minTLSVersion='tls1.3', provider='openssl' })
Script result:
SSLv2 not offered (OK)
SSLv3 not offered (OK)
TLS 1 not offered
TLS 1.1 not offered
TLS 1.2 not offered
TLS 1.3 offered (OK): final
NPN/SPDY not offered
ALPN/HTTP2 not offered
Thanks again.
Ales
More information about the dnsdist
mailing list