From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound Date: Thu, 07 Mar 2019 10:05:50 +0100 Message-ID: <527b00804a34cc97d4e3dc6dceb3a1d93e66b206.camel@ipfire.org> In-Reply-To: <0161201C-AAF8-49B7-9764-F531DE3C17C0@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1844380757048623371==" List-Id: --===============1844380757048623371== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hi Michael, On Do, 2019-03-07 at 08:54 +0000, Michael Tremer wrote: > Hi, > > Wait, so does that mean that unbound works with TLS 1.3 but kdig > doesn’t? Yes it strangely looks like. What it makes even more strange that on the other machine TLSv1.3 is also detected from kdig. But may you remember, some curves on the same servers where differently displayed on both machines. tshark shows the same for cloudflare and other not TLSv1.3 ready servers are also shown correct with TLSv1.2. But which one can now be trust ? Possibly tshark is a little more trustworthy IMHO. Am building currently the new knot-2.8.0 version to check if things are changing there. Best, Erik > > -Michael > > > On 7 Mar 2019, at 04:16, ummeegge wrote: > > > > Hi, > > have captured now the traffic with tshark and it seems that unbound > > do > > uses TLSv1.3 but kdig seems to be the problem which did not reflect > > this. Shortend output: > > > > 5 0.017092078 192.168.25.13 → 9.9.9.9 TLSv1 405 Client Hello > > 9 0.030988995 9.9.9.9 → 192.168.25.13 TLSv1.3 1506 Server > > Hello, Change Cipher Spec, Application Data > > 10 0.031152498 9.9.9.9 → 192.168.25.13 TLSv1.3 1506 > > Application Data [TCP segment of a reassembled PDU] > > 11 0.031305390 9.9.9.9 → 192.168.25.13 TLSv1.3 195 > > Application Data, Application Data > > 12 0.032631746 192.168.25.13 → 9.9.9.9 TCP 66 49708 → 853 > > [ACK] Seq=340 Ack=1441 Win=32256 Len=0 TSval=1081350533 > > TSecr=3653489529 > > 13 0.032703370 192.168.25.13 → 9.9.9.9 TCP 66 49708 → 853 > > [ACK] Seq=340 Ack=2881 Win=35328 Len=0 TSval=1081350533 > > TSecr=3653489529 > > 14 0.032834733 192.168.25.13 → 9.9.9.9 TCP 66 49708 → 853 > > [ACK] Seq=340 Ack=3010 Win=37888 Len=0 TSval=1081350534 > > TSecr=3653489529 > > 16 0.048498506 192.168.25.13 → 9.9.9.9 TLSv1.3 146 Change > > Cipher Spec, Application Data > > 26 0.061705575 9.9.9.9 → 192.168.25.13 TLSv1.3 145 > > Application Data > > 27 0.061814933 9.9.9.9 → 192.168.25.13 TLSv1.3 145 > > Application Data > > 28 0.062346891 192.168.25.13 → 9.9.9.9 TLSv1.3 135 > > Application Data > > 31 0.093868737 9.9.9.9 → 192.168.25.13 TLSv1.3 1374 > > Application Data > > 32 0.094863556 192.168.25.13 → 9.9.9.9 TCP 66 49708 → 853 > > [ACK] Seq=489 Ack=4476 Win=40960 Len=0 TSval=1081350596 > > TSecr=3653489561 > > 34 0.095815051 192.168.25.13 → 9.9.9.9 TLSv1.3 90 > > Application Data > > 35 0.095889061 192.168.25.13 → 9.9.9.9 TCP 66 49708 → 853 > > [FIN, ACK] Seq=513 Ack=4476 Win=40960 Len=0 TSval=1081350597 > > TSecr=3653489561 > > 39 0.106144908 192.168.25.13 → 9.9.9.9 TCP 74 49712 → 853 > > [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1081350607 > > TSecr=0 WS=512 > > 42 0.108875164 9.9.9.9 → 192.168.25.13 TLSv1.3 90 > > Application Data > > 43 0.109334250 9.9.9.9 → 192.168.25.13 TCP 66 853 → 49708 > > [FIN, ACK] Seq=4500 Ack=514 Win=30208 Len=0 TSval=3653489608 > > TSecr=1081350596 > > 44 0.109656164 192.168.25.13 → 9.9.9.9 TCP 54 49708 → 853 > > [RST] Seq=514 Win=0 Len=0 > > 45 0.109961291 192.168.25.13 → 9.9.9.9 TCP 54 49708 → 853 > > [RST] Seq=514 Win=0 Len=0 > > 49 0.118048710 9.9.9.9 → 192.168.25.13 TCP 74 853 → 49712 > > [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1452 SACK_PERM=1 > > TSval=3653489618 TSecr=1081350607 WS=256 > > 50 0.119914237 192.168.25.13 → 9.9.9.9 TCP 66 49712 → 853 > > [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=1081350620 TSecr=3653489618 > > 51 0.120180988 192.168.25.13 → 9.9.9.9 TLSv1 405 Client > > Hello > > > > so forget about this subject but thanks for sharing your opinions. > > > > Will go for a checkout if i can find something in knot section... > > > > > > Best, > > > > Erik > > > > --===============1844380757048623371==--