From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound Date: Thu, 14 Feb 2019 15:01:17 +0000 Message-ID: <1974ECAF-EC8A-4DA3-AF95-A05FB81CBE7D@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2961522554069089862==" List-Id: --===============2961522554069089862== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, Actually I tried this from an IPFire 3 system which has a quite old version o= f OpenSSL. So maybe Ed25519 could not have been used because the client doesn=E2=80=99t = support it. -Michael > On 14 Feb 2019, at 14:18, ummeegge wrote: >=20 > Hi Michael, >=20 >=20 > On Do, 2019-02-14 at 11:31 +0000, Michael Tremer wrote: >> Hey, >>=20 >> I am getting this when I am connecting: >>=20 >> New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384 >> Server public key is 384 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> SSL-Session: >> Protocol : TLSv1.2 >> Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 >>=20 >> I did not configure anything else than the defaults. > OK, this is a little strange too since one machine uses the 25519 curve > :-) . > Also i have had this conversation -->=20 > https://lists.ipfire.org/pipermail/development/2018-December/005059.html > in mind so i was searching for this. >=20 > But this is also a beneath one, the TLSv1.3 is in my main focus, will > need a little until the build is finished. It might neverthless help > very much if someone else can also went in some testings ! >=20 > Best, >=20 > Erik >=20 >=20 >>=20 >> -Michael >>=20 >>> On 14 Feb 2019, at 11:28, ummeegge wrote: >>>=20 >>> Hi Michael, >>>=20 >>> On Do, 2019-02-14 at 11:08 +0000, Michael Tremer wrote: >>>> Hi, >>>>=20 >>>> Just for the protocol. The Lightning Wire Labs resolver currently >>>> only supports TLS 1.2. >>>=20 >>> yes i know but the strange thing is --> >>>=20 >>>>=20 >>>> Just in case you were expecting TLS 1.3 from it. >>>=20 >>> No not TLS 1.3 but 'ECDHE-X25519' . Strangely on the origin/next >>> machine where no TLSv1.3 is used it offers also only 'ECDHE-ECDSA- >>> SECP256R1' have wrote you that already in the 'Kicking of DoT' >>> topic. >>> It seems somehow related to another. The other machine (old patch >>> <-- >>> not sure if it has something to do with this) have no problems with >>> TLSv1.3 but uses also TLSv1.2 with 'ECDHE-X25519' for >>> Lightningwirelabs. >>>=20 >>> Smells a little fishy and am not sure if it is a fate of an >>> individual. >>>=20 >>> Best, >>>=20 >>> Erik >>>=20 >>>>=20 >>>> Best, >>>> -Michael >>>>=20 >>>>> On 14 Feb 2019, at 06:57, ummeegge wrote: >>>>>=20 >>>>> Hi Michael, >>>>>=20 >>>>> On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote: >>>>>> Hi, >>>>>>=20 >>>>>> This is a bit weird. >>>>>=20 >>>>> Indeed. >>>>>=20 >>>>>>=20 >>>>>> Does the version of unbound support TLS 1.3? We had to update >>>>>> Apache >>>>>> to support TLS 1.3 and we had to just rebuild haproxy to >>>>>> support >>>>>> it, >>>>>> too. Since you are running a build of unbound that was built >>>>>> against >>>>>> OpenSSL 1.1.1 I would say the latter isn=E2=80=99t likely. >>>>>=20 >>>>> Yes unbound is linked agains OpenSSL-1.1.1a >>>>>=20 >>>>> Version 1.8.3 >>>>> linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL >>>>> 1.1.1a 20 Nov 2018 >>>>> linked modules: dns64 respip validator iterator >>>>>=20 >>>>> Have two machines here running which already includes the new >>>>> OpenSSL. >>>>> One machine uses the OpenSSL-1.1.1a from the first testing days >>>>> with >>>>> the old OpenSSL cipher patch and the other machine is on >>>>> current >>>>> origin/next state with the OpenSSL patch from Peter. >>>>>=20 >>>>> Have tried it today again and the old testing environment (old >>>>> patch) >>>>> seems to work now with TLSv1.3 even the last days it does >>>>> not... >>>>>=20 >>>>> Output from (let=C2=B4s call it) the old machine (with the old >>>>> OpenSSL >>>>> patch) with testing results from Quad9 Cloudflare and >>>>> Lightningwirelabs: >>>>>=20 >>>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), >>>>> server(1.1.1.1), port(853), protocol(TCP) >>>>> ;; DEBUG: TLS, imported 128 certificates from >>>>> '/etc/ssl/certs/ca- >>>>> bundle.crt' >>>>> ;; DEBUG: TLS, received certificate hierarchy: >>>>> ;; DEBUG: #1, C=3DUS,ST=3DCalifornia,L=3DSan >>>>> Francisco,O=3DCloudflare\, >>>>> Inc.,CN=3Dcloudflare-dns.com >>>>> ;; DEBUG: SHA-256 PIN: >>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=3D >>>>> ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure >>>>> Server CA >>>>> ;; DEBUG: SHA-256 PIN: >>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D >>>>> ;; DEBUG: TLS, skipping certificate PIN check >>>>> ;; DEBUG: TLS, The certificate is trusted.=20 >>>>> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1- >>>>> SHA256)- >>>>> (AES-256-GCM) >>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912 >>>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; >>>>> ADDITIONAL: >>>>> 1 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), >>>>> server(9.9.9.9), port(853), protocol(TCP) >>>>> ;; DEBUG: TLS, imported 128 certificates from >>>>> '/etc/ssl/certs/ca- >>>>> bundle.crt' >>>>> ;; DEBUG: TLS, received certificate hierarchy: >>>>> ;; DEBUG: #1, >>>>> C=3DUS,ST=3DCalifornia,L=3DBerkeley,O=3DQuad9,CN=3D*.quad9.net >>>>> ;; DEBUG: SHA-256 PIN: >>>>> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=3D >>>>> ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure >>>>> Server CA >>>>> ;; DEBUG: SHA-256 PIN: >>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D >>>>> ;; DEBUG: TLS, skipping certificate PIN check >>>>> ;; DEBUG: TLS, The certificate is trusted.=20 >>>>> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1- >>>>> SHA256)- >>>>> (AES-256-GCM) >>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085 >>>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; >>>>> ADDITIONAL:=20 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), >>>>> server(81.3.27.54), port(853), protocol(TCP) >>>>> ;; DEBUG: TLS, imported 128 certificates from >>>>> '/etc/ssl/certs/ca- >>>>> bundle.crt' >>>>> ;; DEBUG: TLS, received certificate hierarchy: >>>>> ;; DEBUG: #1, CN=3Drec1.dns.lightningwirelabs.com >>>>> ;; DEBUG: SHA-256 PIN: >>>>> V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=3D >>>>> ;; DEBUG: #2, C=3DUS,O=3DLet's Encrypt,CN=3DLet's Encrypt Authority >>>>> X3 >>>>> ;; DEBUG: SHA-256 PIN: >>>>> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=3D >>>>> ;; DEBUG: TLS, skipping certificate PIN check >>>>> ;; DEBUG: TLS, The certificate is trusted.=20 >>>>> ;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)- >>>>> (CHACHA20- >>>>> POLY1305) >>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376 >>>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; >>>>> ADDITIONAL: >>>>> 1 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>>> =3D=3D=3D=3D >>>>> =3D=3D=3D >>>>>=20 >>>>> Tests with the new machine (new OpenSSL patch): >>>>>=20 >>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), >>>>> server(1.1.1.1), port(853), protocol(TCP) >>>>> ;; DEBUG: TLS, imported 135 certificates from >>>>> '/etc/ssl/certs/ca- >>>>> bundle.crt' >>>>> ;; DEBUG: TLS, received certificate hierarchy: >>>>> ;; DEBUG: #1, C=3DUS,ST=3DCalifornia,L=3DSan >>>>> Francisco,O=3DCloudflare\, >>>>> Inc.,CN=3Dcloudflare-dns.com >>>>> ;; DEBUG: SHA-256 PIN: >>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=3D >>>>> ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure >>>>> Server CA >>>>> ;; DEBUG: SHA-256 PIN: >>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D >>>>> ;; DEBUG: TLS, skipping certificate PIN check >>>>> ;; DEBUG: TLS, The certificate is trusted.=20 >>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) >>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817 >>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; >>>>> ADDITIONAL: 1 >>>>>=20 >>>>>=20 >>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), >>>>> server(9.9.9.9), port(853), protocol(TCP) >>>>> ;; DEBUG: TLS, imported 135 certificates from >>>>> '/etc/ssl/certs/ca- >>>>> bundle.crt' >>>>> ;; DEBUG: TLS, received certificate hierarchy: >>>>> ;; DEBUG: #1, >>>>> C=3DUS,ST=3DCalifornia,L=3DBerkeley,O=3DQuad9,CN=3D*.quad9.net >>>>> ;; DEBUG: SHA-256 PIN: >>>>> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=3D >>>>> ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure >>>>> Server CA >>>>> ;; DEBUG: SHA-256 PIN: >>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D >>>>> ;; DEBUG: TLS, skipping certificate PIN check >>>>> ;; DEBUG: TLS, The certificate is trusted.=20 >>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20- >>>>> POLY1305) >>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679 >>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; >>>>> ADDITIONAL: 1 >>>>>=20 >>>>>=20 >>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), >>>>> server(81.3.27.54), port(853), protocol(TCP) >>>>> ;; DEBUG: TLS, imported 135 certificates from >>>>> '/etc/ssl/certs/ca- >>>>> bundle.crt' >>>>> ;; DEBUG: TLS, received certificate hierarchy: >>>>> ;; DEBUG: #1, CN=3Drec1.dns.lightningwirelabs.com >>>>> ;; DEBUG: SHA-256 PIN: >>>>> V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=3D >>>>> ;; DEBUG: #2, C=3DUS,O=3DLet's Encrypt,CN=3DLet's Encrypt Authority >>>>> X3 >>>>> ;; DEBUG: SHA-256 PIN: >>>>> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=3D >>>>> ;; DEBUG: TLS, skipping certificate PIN check >>>>> ;; DEBUG: TLS, The certificate is trusted.=20 >>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20- >>>>> POLY1305) >>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685 >>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; >>>>> ADDITIONAL: 1 >>>>>=20 >>>>>=20 >>>>>=20 >>>>> Lightningwirelabs uses on the old machine also ECDHE-X25519 , >>>>> the >>>>> new >>>>> one only ECDHE-ECDSA-SECP256R1 . >>>>>=20 >>>>>=20 >>>>> What it makes even more worse is that i=C2=B4d compiled origin/next >>>>> a >>>>> couple >>>>> of days ago with the old OpenSSL patch to see if the problem >>>>> comes >>>>> from >>>>> there but with the same results (no TLSv1.3). >>>>>=20 >>>>> May the providers did disabled TLSv1.3 for a couple of days >>>>> since >>>>> at >>>>> that time my old machine have had the same TLSv1.2 results ??? >>>>>=20 >>>>> Am currently not sure what happens here. >>>>>=20 >>>>>=20 >>>>> Best, >>>>>=20 >>>>> Erik >>>>>=20 >>>>>=20 >>>>>=20 >>>>>>=20 >>>>>> -Michael >>>>>>=20 >>>>>>> On 10 Feb 2019, at 14:15, ummeegge >>>>>>> wrote: >>>>>>>=20 >>>>>>> Hi all, >>>>>>> did an fresh install from origin/next of Core 128 with the >>>>>>> new >>>>>>> OpenSSL- >>>>>>> 1.1.1a . Have checked also DNS-over-TLS which works well >>>>>>> but >>>>>>> kdig >>>>>>> points out that the TLS sessions operates only with TLSv1.2 >>>>>>> instaed >>>>>>> of >>>>>>> the new delivered TLSv1.3 . >>>>>>>=20 >>>>>>> A test with Cloudflair (which uses TLSv1.3) looks like this >>>>>>> --> >>>>>>>=20 >>>>>>> kdig Test: >>>>>>>=20 >>>>>>>=20 >>>>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), >>>>>>> type(1), >>>>>>> server(1.1.1.1), port(853), protocol(TCP) >>>>>>> ;; DEBUG: TLS, imported 135 certificates from >>>>>>> '/etc/ssl/certs/ca- >>>>>>> bundle.crt' >>>>>>> ;; DEBUG: TLS, received certificate hierarchy: >>>>>>> ;; DEBUG: #1, C=3DUS,ST=3DCalifornia,L=3DSan >>>>>>> Francisco,O=3DCloudflare\, >>>>>>> Inc.,CN=3Dcloudflare-dns.com >>>>>>> ;; DEBUG: SHA-256 PIN: >>>>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=3D >>>>>>> ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure >>>>>>> Server CA >>>>>>> ;; DEBUG: SHA-256 PIN: >>>>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D >>>>>>> ;; DEBUG: TLS, skipping certificate PIN check >>>>>>> ;; DEBUG: TLS, The certificate is trusted.=20 >>>>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256- >>>>>>> GCM) >>>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175 >>>>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; >>>>>>> ADDITIONAL: 1 >>>>>>>=20 >>>>>>> ;; EDNS PSEUDOSECTION: >>>>>>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: >>>>>>> NOERROR >>>>>>> ;; PADDING: 239 B >>>>>>>=20 >>>>>>> ;; QUESTION SECTION: >>>>>>> ;; www.isoc.org. IN A >>>>>>>=20 >>>>>>> ;; ANSWER SECTION: >>>>>>> www.isoc.org. 300 IN A 46.43.36.22 >>>>>>> 2 >>>>>>> www.isoc.org. 300 IN RRSIG A 7 3 300 >>>>>>> 20190224085001 20190210085001 45830 isoc.org. >>>>>>> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1U >>>>>>> K0Nx >>>>>>> OGCP >>>>>>> OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR >>>>>>> 7hPe >>>>>>> rUvt >>>>>>> l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=3D >>>>>>>=20 >>>>>>> ;; Received 468 B >>>>>>> ;; Time 2019-02-10 12:40:19 CET >>>>>>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms >>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>> And a test with s_client: >>>>>>>=20 >>>>>>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853 >>>>>>> CONNECTED(00000003) >>>>>>> depth=3D2 C =3D US, O =3D DigiCert Inc, OU =3D www.digicert.com, CN >>>>>>> =3D >>>>>>> DigiCert Global Root CA >>>>>>> verify return:1 >>>>>>> depth=3D1 C =3D US, O =3D DigiCert Inc, CN =3D DigiCert ECC Secure >>>>>>> Server >>>>>>> CA >>>>>>> verify return:1 >>>>>>> depth=3D0 C =3D US, ST =3D California, L =3D San Francisco, O =3D >>>>>>> "Cloudflare, Inc.", CN =3D cloudflare-dns.com >>>>>>> verify return:1 >>>>>>> --- >>>>>>> Certificate chain >>>>>>> 0 s:C =3D US, ST =3D California, L =3D San Francisco, O =3D >>>>>>> "Cloudflare, >>>>>>> Inc.", CN =3D cloudflare-dns.com >>>>>>> i:C =3D US, O =3D DigiCert Inc, CN =3D DigiCert ECC Secure Server >>>>>>> CA >>>>>>> 1 s:C =3D US, O =3D DigiCert Inc, CN =3D DigiCert ECC Secure >>>>>>> Server >>>>>>> CA >>>>>>> i:C =3D US, O =3D DigiCert Inc, OU =3D www.digicert.com, CN =3D >>>>>>> DigiCert >>>>>>> Global Root CA >>>>>>> --- >>>>>>> Server certificate >>>>>>> -----BEGIN CERTIFICATE----- >>>>>>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjB >>>>>>> MMQs >>>>>>> w >>>>>>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1 >>>>>>> EaWd >>>>>>> p >>>>>>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0 >>>>>>> yMTA >>>>>>> y >>>>>>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybml >>>>>>> hMRY >>>>>>> w >>>>>>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCB >>>>>>> JbmM >>>>>>> u >>>>>>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBgg >>>>>>> qhkj >>>>>>> O >>>>>>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash >>>>>>> 3uMu >>>>>>> P >>>>>>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoA >>>>>>> Uo53 >>>>>>> m >>>>>>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58O >>>>>>> oRX+ >>>>>>> g >>>>>>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZ >>>>>>> sYXJ >>>>>>> l >>>>>>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYc >>>>>>> QJgZ >>>>>>> H >>>>>>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAA >>>>>>> AAAA >>>>>>> A >>>>>>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAM >>>>>>> CB4A >>>>>>> w >>>>>>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqA >>>>>>> soCq >>>>>>> G >>>>>>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqA >>>>>>> soCq >>>>>>> G >>>>>>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAY >>>>>>> DVR0 >>>>>>> g >>>>>>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3c >>>>>>> uZGl >>>>>>> n >>>>>>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCs >>>>>>> GAQU >>>>>>> F >>>>>>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh >>>>>>> 0dHA >>>>>>> 6 >>>>>>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZ >>>>>>> lckN >>>>>>> B >>>>>>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWg >>>>>>> AdgC >>>>>>> k >>>>>>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwB >>>>>>> HMEU >>>>>>> C >>>>>>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGz >>>>>>> Hm2e >>>>>>> O >>>>>>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9 >>>>>>> KtWD >>>>>>> B >>>>>>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o >>>>>>> 7xOs >>>>>>> / >>>>>>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB >>>>>>> 3ALv >>>>>>> Z >>>>>>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEg >>>>>>> wRgI >>>>>>> h >>>>>>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kF >>>>>>> xvrk >>>>>>> 7 >>>>>>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2 >>>>>>> HTMu >>>>>>> r >>>>>>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf >>>>>>> 5jdz >>>>>>> 1 >>>>>>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ >>>>>>> -----END CERTIFICATE----- >>>>>>> subject=3DC =3D US, ST =3D California, L =3D San Francisco, O =3D >>>>>>> "Cloudflare, Inc.", CN =3D cloudflare-dns.com >>>>>>>=20 >>>>>>> issuer=3DC =3D US, O =3D DigiCert Inc, CN =3D DigiCert ECC Secure >>>>>>> Server CA >>>>>>>=20 >>>>>>> --- >>>>>>> No client certificate CA names sent >>>>>>> Peer signing digest: SHA256 >>>>>>> Peer signature type: ECDSA >>>>>>> Server Temp Key: X25519, 253 bits >>>>>>> --- >>>>>>> SSL handshake has read 2787 bytes and written 421 bytes >>>>>>> Verification: OK >>>>>>> --- >>>>>>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 >>>>>>> Server public key is 256 bit >>>>>>> Secure Renegotiation IS NOT supported >>>>>>> Compression: NONE >>>>>>> Expansion: NONE >>>>>>> No ALPN negotiated >>>>>>> Early data was not sent >>>>>>> Verify return code: 0 (ok) >>>>>>> --- >>>>>>> --- >>>>>>> Post-Handshake New Session Ticket arrived: >>>>>>> SSL-Session: >>>>>>> Protocol : TLSv1.3 >>>>>>> Cipher : TLS_CHACHA20_POLY1305_SHA256 >>>>>>> Session-ID: >>>>>>> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B2099007 >>>>>>> 35C0 >>>>>>> 1 >>>>>>> Session-ID-ctx:=20 >>>>>>> Resumption PSK: >>>>>>> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA >>>>>>> 480C >>>>>>> 7 >>>>>>> PSK identity: None >>>>>>> PSK identity hint: None >>>>>>> TLS session ticket lifetime hint: 21600 (seconds) >>>>>>> TLS session ticket: >>>>>>> 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 >>>>>>> 00 ................ >>>>>>> 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 >>>>>>> 6b ...........}...k >>>>>>> 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 >>>>>>> 23 ..1Uw..\.......# >>>>>>> 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 >>>>>>> 3d ....3]...u.hg.W=3D >>>>>>> 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 >>>>>>> ff .qk."......7bi.. >>>>>>> 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 >>>>>>> d9 Zx).........c... >>>>>>> 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e >>>>>>> cb ;.p8V.jC....].~. >>>>>>> 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 >>>>>>> 06 .c..1qa.D.....C. >>>>>>> 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 >>>>>>> 0e .....>.2....F... >>>>>>> 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 >>>>>>> 1b ty.$.\....,.K... >>>>>>> 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 >>>>>>> 07 }.=3D.jX.NA..).... >>>>>>> 00b0 - e1 92 dd 8d 44 >>>>>>> 69 ....Di >>>>>>>=20 >>>>>>> Start Time: 1549799117 >>>>>>> Timeout : 7200 (sec) >>>>>>> Verify return code: 0 (ok) >>>>>>> Extended master secret: no >>>>>>> Max Early Data: 0 >>>>>>> --- >>>>>>> read R BLOCK >>>>>>> closed >>>>>>>=20 >>>>>>>=20 >>>>>>> Which seems strange to me since Cloudflair offers TLSv1.3 >>>>>>> but >>>>>>> unbound initializes only TLSv1.2 . >>>>>>>=20 >>>>>>> Have check all working DoT servers from here -->=20 >>>>>>>=20 > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers >>>>>>> too, >>>>>>> but no TLSv1.3 at all... >>>>>>>=20 >>>>>>>=20 >>>>>>> Did someone have similar behaviors ? >>>>>>>=20 >>>>>>> Best, >>>>>>>=20 >>>>>>> Erik >>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>>=20 >>>>>>=20 >>>>>>=20 >>>>=20 >>>>=20 >>=20 >>=20 >=20 --===============2961522554069089862==--