From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound Date: Tue, 05 Mar 2019 17:23:51 +0000 Message-ID: <6FB7E1F2-19F2-4BBC-8509-FA9FBA5A2C44@ipfire.org> In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7112126515939958987==" List-Id: --===============7112126515939958987== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hey, Do you have any additional settings apart from the IPFire default unbound con= figuration? -Michael > On 5 Mar 2019, at 17:17, ummeegge wrote: >=20 > Hi all, > really was hoping that things are changing with the testings of Core > 128 and was then happy to see that OpenSSL-1.1.1b addresses a potential > problem/solution -->=20 > https://www.openssl.org/news/changelog.html#x1 > but it doesn=C2=B4t... > Have currently Core 129 with unbound -1.9.0 and OpenSSL-1.1.1b > installed --> >=20 > Version 1.9.0 > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1b 26 Feb = 2019 > linked modules: dns64 respip validator iterator > BSD licensed, see LICENSE in source package for details. > Report bugs to unbound-bugs(a)nlnetlabs.nl >=20 > but (only?) unbound uses no TLSv1.3 (curl and Apache does), tested with Qua= d9 and Cloudflare --> >=20 >=20 > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(9.9.= 9.9), port(853), protocol(TCP) > ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt' > ;; DEBUG: TLS, received certificate hierarchy: > ;; DEBUG: #1, C=3DUS,ST=3DCalifornia,L=3DBerkeley,O=3DQuad9,CN=3D*.quad9.n= et > ;; DEBUG: SHA-256 PIN: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=3D > ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure Server CA > ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D > ;; DEBUG: TLS, skipping certificate PIN check > ;; DEBUG: TLS, The certificate is trusted.=20 > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305) > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10011 > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1 >=20 > ;; EDNS PSEUDOSECTION: > ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR >=20 > ;; QUESTION SECTION: > ;; www.isoc.org. IN A >=20 > ;; ANSWER SECTION: > www.isoc.org. 300 IN A 46.43.36.222 > www.isoc.org. 300 IN RRSIG A 7 3 300 20190319085001 20190305085001 5= 4512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kC= HVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQi= nutvZUvzobmUebXVPWhNsRPLHbb4tOeI=3D >=20 > ;; Received 225 B > ;; Time 2019-03-05 18:09:18 CET > ;; From 9.9.9.9(a)853(TCP) in 142.4 ms >=20 > Exit status: 0 >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.= 1.1), port(853), protocol(TCP) > ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt' > ;; DEBUG: TLS, received certificate hierarchy: > ;; DEBUG: #1, C=3DUS,ST=3DCalifornia,L=3DSan Francisco,O=3DCloudflare\, In= c.,CN=3Dcloudflare-dns.com > ;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=3D > ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure Server CA > ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D > ;; DEBUG: TLS, skipping certificate PIN check > ;; DEBUG: TLS, The certificate is trusted.=20 > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24241 > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1 >=20 > ;; EDNS PSEUDOSECTION: > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR > ;; PADDING: 239 B >=20 > ;; QUESTION SECTION: > ;; www.isoc.org. IN A >=20 > ;; ANSWER SECTION: > www.isoc.org. 300 IN A 46.43.36.222 > www.isoc.org. 300 IN RRSIG A 7 3 300 20190319085001 20190305085001 5= 4512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kC= HVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQi= nutvZUvzobmUebXVPWhNsRPLHbb4tOeI=3D >=20 > ;; Received 468 B > ;; Time 2019-03-05 18:09:24 CET > ;; From 1.1.1.1(a)853(TCP) in 19.3 ms >=20 > Exit status: 0 >=20 >=20 > whereby my "old" machine with unbound --> > Version 1.8.1 > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1a 20 Nov = 2018 > linked modules: dns64 respip validator iterator > BSD licensed, see LICENSE in source package for details. > Report bugs to unbound-bugs(a)nlnetlabs.nl >=20 > uses it --> >=20 >=20 >=20 > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.= 1.1), port(853), protocol(TCP) > ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt' > ;; DEBUG: TLS, received certificate hierarchy: > ;; DEBUG: #1, C=3DUS,ST=3DCalifornia,L=3DSan Francisco,O=3DCloudflare\, In= c.,CN=3Dcloudflare-dns.com > ;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=3D > ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure Server CA > ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D > ;; DEBUG: TLS, skipping certificate PIN check > ;; DEBUG: TLS, The certificate is trusted.=20 > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256= -GCM) > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5997 > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1 >=20 > ;; EDNS PSEUDOSECTION: > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR > ;; PADDING: 239 B >=20 > ;; QUESTION SECTION: > ;; www.isoc.org. IN A >=20 > ;; ANSWER SECTION: > www.isoc.org. 158 IN A 46.43.36.222 > www.isoc.org. 158 IN RRSIG A 7 3 300 20190319085001 20190305085001 5= 4512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kC= HVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQi= nutvZUvzobmUebXVPWhNsRPLHbb4tOeI=3D >=20 > ;; Received 468 B > ;; Time 2019-03-05 18:11:44 CET > ;; From 1.1.1.1(a)853(TCP) in 47.5 ms >=20 > Exit status: 0 >=20 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >=20 >=20 > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), > server(9.9.9.9), port(853), protocol(TCP) > ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- > bundle.crt' > ;; DEBUG: TLS, received certificate hierarchy: > ;; DEBUG: #1, C=3DUS,ST=3DCalifornia,L=3DBerkeley,O=3DQuad9,CN=3D*.quad9.n= et > ;; DEBUG: SHA-256 PIN: > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=3D > ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure Server CA > ;; DEBUG: SHA-256 PIN: > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D > ;; DEBUG: TLS, skipping certificate PIN check > ;; DEBUG: TLS, The certificate is trusted.=20 > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)- > (AES-256-GCM) > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13744 > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1 >=20 > ;; EDNS PSEUDOSECTION: > ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR >=20 > ;; QUESTION SECTION: > ;; www.isoc.org. IN A >=20 > ;; ANSWER SECTION: > www.isoc.org. 300 IN A 46.43.36.222 > www.isoc.org. 300 IN RRSIG A 7 3 300 > 20190319085001 20190305085001 54512 isoc.org. > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln > 9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinut > vZUvzobmUebXVPWhNsRPLHbb4tOeI=3D >=20 > ;; Received 225 B > ;; Time 2019-03-05 18:11:44 CET > ;; From 9.9.9.9(a)853(TCP) in 286.9 ms >=20 > Exit status: 0 >=20 >=20 > Haven=C2=B4t found until now a reason for this ! May someone else did some > tests/have_an_idea ? >=20 >=20 > Best, >=20 > Erik >=20 >=20 >=20 > On So, 2019-02-10 at 15:15 +0100, ummeegge wrote: >> Hi all, >> did an fresh install from origin/next of Core 128 with the new >> OpenSSL- >> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig >> points out that the TLS sessions operates only with TLSv1.2 instaed >> of >> the new delivered TLSv1.3 . >>=20 >> A test with Cloudflair (which uses TLSv1.3) looks like this --> >>=20 >> kdig Test: >>=20 >>=20 >> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), >> server(1.1.1.1), port(853), protocol(TCP) >> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca- >> bundle.crt' >> ;; DEBUG: TLS, received certificate hierarchy: >> ;; DEBUG: #1, C=3DUS,ST=3DCalifornia,L=3DSan Francisco,O=3DCloudflare\, >> Inc.,CN=3Dcloudflare-dns.com >> ;; DEBUG: SHA-256 PIN: >> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=3D >> ;; DEBUG: #2, C=3DUS,O=3DDigiCert Inc,CN=3DDigiCert ECC Secure Server CA >> ;; DEBUG: SHA-256 PIN: >> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=3D >> ;; DEBUG: TLS, skipping certificate PIN check >> ;; DEBUG: TLS, The certificate is trusted.=20 >> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) >> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175 >> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: >> 1 >>=20 >> ;; EDNS PSEUDOSECTION: >> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR >> ;; PADDING: 239 B >>=20 >> ;; QUESTION SECTION: >> ;; www.isoc.org. IN A >>=20 >> ;; ANSWER SECTION: >> www.isoc.org. 300 IN A 46.43.36.222 >> www.isoc.org. 300 IN RRSIG A 7 3 300 >> 20190224085001 20190210085001 45830 isoc.org. >> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZ >> SVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sH >> JnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=3D >>=20 >> ;; Received 468 B >> ;; Time 2019-02-10 12:40:19 CET >> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms >>=20 >>=20 >>=20 >> And a test with s_client: >>=20 >> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853 >> CONNECTED(00000003) >> depth=3D2 C =3D US, O =3D DigiCert Inc, OU =3D www.digicert.com, CN =3D >> DigiCert Global Root CA >> verify return:1 >> depth=3D1 C =3D US, O =3D DigiCert Inc, CN =3D DigiCert ECC Secure Server = CA >> verify return:1 >> depth=3D0 C =3D US, ST =3D California, L =3D San Francisco, O =3D "Cloudfl= are, >> Inc.", CN =3D cloudflare-dns.com >> verify return:1 >> --- >> Certificate chain >> 0 s:C =3D US, ST =3D California, L =3D San Francisco, O =3D "Cloudflare, >> Inc.", CN =3D cloudflare-dns.com >> i:C =3D US, O =3D DigiCert Inc, CN =3D DigiCert ECC Secure Server CA >> 1 s:C =3D US, O =3D DigiCert Inc, CN =3D DigiCert ECC Secure Server CA >> i:C =3D US, O =3D DigiCert Inc, OU =3D www.digicert.com, CN =3D DigiCert >> Global Root CA >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw >> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp >> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy >> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw >> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu >> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO >> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP >> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m >> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g >> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl >> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH >> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA >> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw >> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG >> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG >> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g >> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln >> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF >> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6 >> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB >> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk >> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC >> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO >> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB >> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/ >> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ >> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh >> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7 >> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur >> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1 >> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ >> -----END CERTIFICATE----- >> subject=3DC =3D US, ST =3D California, L =3D San Francisco, O =3D "Cloudfl= are, >> Inc.", CN =3D cloudflare-dns.com >>=20 >> issuer=3DC =3D US, O =3D DigiCert Inc, CN =3D DigiCert ECC Secure Server CA >>=20 >> --- >> No client certificate CA names sent >> Peer signing digest: SHA256 >> Peer signature type: ECDSA >> Server Temp Key: X25519, 253 bits >> --- >> SSL handshake has read 2787 bytes and written 421 bytes >> Verification: OK >> --- >> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 >> Server public key is 256 bit >> Secure Renegotiation IS NOT supported >> Compression: NONE >> Expansion: NONE >> No ALPN negotiated >> Early data was not sent >> Verify return code: 0 (ok) >> --- >> --- >> Post-Handshake New Session Ticket arrived: >> SSL-Session: >> Protocol : TLSv1.3 >> Cipher : TLS_CHACHA20_POLY1305_SHA256 >> Session-ID: >> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01 >> Session-ID-ctx:=20 >> Resumption PSK: >> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7 >> PSK identity: None >> PSK identity hint: None >> TLS session ticket lifetime hint: 21600 (seconds) >> TLS session ticket: >> 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 >> 00 ................ >> 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 >> 6b ...........}...k >> 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 >> 23 ..1Uw..\.......# >> 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 >> 3d ....3]...u.hg.W=3D >> 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 >> ff .qk."......7bi.. >> 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 >> d9 Zx).........c... >> 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e >> cb ;.p8V.jC....].~. >> 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 >> 06 .c..1qa.D.....C. >> 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 >> 0e .....>.2....F... >> 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 >> 1b ty.$.\....,.K... >> 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 >> 07 }.=3D.jX.NA..).... >> 00b0 - e1 92 dd 8d 44 69 ....Di >>=20 >> Start Time: 1549799117 >> Timeout : 7200 (sec) >> Verify return code: 0 (ok) >> Extended master secret: no >> Max Early Data: 0 >> --- >> read R BLOCK >> closed >>=20 >>=20 >> Which seems strange to me since Cloudflair offers TLSv1.3 but unbound >> initializes only TLSv1.2 . >>=20 >> Have check all working DoT servers from here -->=20 >> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too, >> but no TLSv1.3 at all... >>=20 >>=20 >> Did someone have similar behaviors ? >>=20 >> Best, >>=20 >> Erik >>=20 >>=20 >>=20 >>=20 >=20 --===============7112126515939958987==--