Bug 2362

Summary: TLS1.3/openssl-1.1.1 not working
Product: unbound Reporter: tributh <torsten>
Component: serverAssignee: unbound team <unbound-team>
Status: RESOLVED FIXED    
Severity: enhancement CC: cathya, wouter
Priority: P5    
Version: 1.6.7   
Hardware: x86_64   
OS: Linux   

Description tributh 2017-11-03 08:03:08 CET
I am using a debian buster system.
unbound-1.6.7 with OpenSSL-1.1 is working fine
will running with "DNS over TLS"

When i try to use the actual master version of OpenSSL
which already has support for TLS1.3
"DNS over TLS" stops working.

There is no way to add extra ciphers in the config, because that part is hardcoded. To make TLS working again i had to add at least one TLS13-cipher, which is only possible in the source.

I wish that the next version of unbound will support some of these ciphers to support also TLS13 in the near future.

Like this ones:
"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256"


Regards Torsten
Comment 1 Wouter Wijngaards 2017-11-03 08:42:24 CET
Hi Torsten,

I added the ciphers you suggested to the setup list in the hardcoded section.  Making it configurable in the config file is an option if necessary, but this was a smaller change, and doesn't seem necessary.

Thanks for the report and excellent cipher suggestion!

Best regards, Wouter