Bug 2362 - TLS1.3/openssl-1.1.1 not working
TLS1.3/openssl-1.1.1 not working
Status: RESOLVED FIXED
Product: unbound
Classification: Unclassified
Component: server
1.6.7
x86_64 Linux
: P5 enhancement
Assigned To: unbound team
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-11-03 08:03 CET by tributh
Modified: 2017-11-03 08:42 CET (History)
2 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description tributh 2017-11-03 08:03:08 CET
I am using a debian buster system.
unbound-1.6.7 with OpenSSL-1.1 is working fine
will running with "DNS over TLS"

When i try to use the actual master version of OpenSSL
which already has support for TLS1.3
"DNS over TLS" stops working.

There is no way to add extra ciphers in the config, because that part is hardcoded. To make TLS working again i had to add at least one TLS13-cipher, which is only possible in the source.

I wish that the next version of unbound will support some of these ciphers to support also TLS13 in the near future.

Like this ones:
"TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384:TLS13-AES-128-GCM-SHA256"


Regards Torsten
Comment 1 Wouter Wijngaards 2017-11-03 08:42:24 CET
Hi Torsten,

I added the ciphers you suggested to the setup list in the hardcoded section.  Making it configurable in the config file is an option if necessary, but this was a smaller change, and doesn't seem necessary.

Thanks for the report and excellent cipher suggestion!

Best regards, Wouter