From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound Date: Thu, 14 Feb 2019 11:31:03 +0000 Message-ID: <99E760C0-99FD-4AC4-8584-6C4CAF37A906@ipfire.org> In-Reply-To: <6ea468fb09729b2d51ffc9cb01b101163b7d062a.camel@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7111944099149455146==" List-Id: --===============7111944099149455146== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Hey, I am getting this when I am connecting: New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384 Server public key is 384 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-AES256-GCM-SHA384 I did not configure anything else than the defaults. -Michael > On 14 Feb 2019, at 11:28, ummeegge wrote: > > Hi Michael, > > On Do, 2019-02-14 at 11:08 +0000, Michael Tremer wrote: >> Hi, >> >> Just for the protocol. The Lightning Wire Labs resolver currently >> only supports TLS 1.2. > yes i know but the strange thing is --> > >> >> Just in case you were expecting TLS 1.3 from it. > No not TLS 1.3 but 'ECDHE-X25519' . Strangely on the origin/next > machine where no TLSv1.3 is used it offers also only 'ECDHE-ECDSA- > SECP256R1' have wrote you that already in the 'Kicking of DoT' topic. > It seems somehow related to another. The other machine (old patch <-- > not sure if it has something to do with this) have no problems with > TLSv1.3 but uses also TLSv1.2 with 'ECDHE-X25519' for > Lightningwirelabs. > > Smells a little fishy and am not sure if it is a fate of an individual. > > Best, > > Erik > >> >> Best, >> -Michael >> >>> On 14 Feb 2019, at 06:57, ummeegge wrote: >>> >>> Hi Michael, >>> >>> On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote: >>>> Hi, >>>> >>>> This is a bit weird. >>> >>> Indeed. >>> >>>> >>>> Does the version of unbound support TLS 1.3? We had to update >>>> Apache >>>> to support TLS 1.3 and we had to just rebuild haproxy to support >>>> it, >>>> too. Since you are running a build of unbound that was built >>>> against >>>> OpenSSL 1.1.1 I would say the latter isn’t likely. >>> >>> Yes unbound is linked agains OpenSSL-1.1.1a >>> >>> Version 1.8.3 >>> linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL >>> 1.1.1a 20 Nov 2018 >>> linked modules: dns64 respip validator iterator >>> >>> Have two machines here running which already includes the new >>> OpenSSL. >>> One machine uses the OpenSSL-1.1.1a from the first testing days >>> with >>> the old OpenSSL cipher patch and the other machine is on current >>> origin/next state with the OpenSSL patch from Peter. >>> >>> Have tried it today again and the old testing environment (old >>> patch) >>> seems to work now with TLSv1.3 even the last days it does not... >>> >>> Output from (let´s call it) the old machine (with the old OpenSSL >>> patch) with testing results from Quad9 Cloudflare and >>> Lightningwirelabs: >>> >>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), >>> server(1.1.1.1), port(853), protocol(TCP) >>> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- >>> bundle.crt' >>> ;; DEBUG: TLS, received certificate hierarchy: >>> ;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, >>> Inc.,CN=cloudflare-dns.com >>> ;; DEBUG: SHA-256 PIN: >>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= >>> ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA >>> ;; DEBUG: SHA-256 PIN: >>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= >>> ;; DEBUG: TLS, skipping certificate PIN check >>> ;; DEBUG: TLS, The certificate is trusted. >>> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)- >>> (AES-256-GCM) >>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912 >>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: >>> 1 >>> >>> >>> >>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), >>> server(9.9.9.9), port(853), protocol(TCP) >>> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- >>> bundle.crt' >>> ;; DEBUG: TLS, received certificate hierarchy: >>> ;; DEBUG: #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net >>> ;; DEBUG: SHA-256 PIN: >>> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= >>> ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA >>> ;; DEBUG: SHA-256 PIN: >>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= >>> ;; DEBUG: TLS, skipping certificate PIN check >>> ;; DEBUG: TLS, The certificate is trusted. >>> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)- >>> (AES-256-GCM) >>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085 >>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: >>> >>> >>> >>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), >>> server(81.3.27.54), port(853), protocol(TCP) >>> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca- >>> bundle.crt' >>> ;; DEBUG: TLS, received certificate hierarchy: >>> ;; DEBUG: #1, CN=rec1.dns.lightningwirelabs.com >>> ;; DEBUG: SHA-256 PIN: >>> V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc= >>> ;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 >>> ;; DEBUG: SHA-256 PIN: >>> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= >>> ;; DEBUG: TLS, skipping certificate PIN check >>> ;; DEBUG: TLS, The certificate is trusted. >>> ;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-(CHACHA20- >>> POLY1305) >>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376 >>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: >>> 1 >>> >>> >>> >>> =================================================================== >>> === >>> >>> Tests with the new machine (new OpenSSL patch): >>> >>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), >>> server(1.1.1.1), port(853), protocol(TCP) >>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca- >>> bundle.crt' >>> ;; DEBUG: TLS, received certificate hierarchy: >>> ;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, >>> Inc.,CN=cloudflare-dns.com >>> ;; DEBUG: SHA-256 PIN: >>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= >>> ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA >>> ;; DEBUG: SHA-256 PIN: >>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= >>> ;; DEBUG: TLS, skipping certificate PIN check >>> ;; DEBUG: TLS, The certificate is trusted. >>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) >>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817 >>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; >>> ADDITIONAL: 1 >>> >>> >>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), >>> server(9.9.9.9), port(853), protocol(TCP) >>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca- >>> bundle.crt' >>> ;; DEBUG: TLS, received certificate hierarchy: >>> ;; DEBUG: #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net >>> ;; DEBUG: SHA-256 PIN: >>> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= >>> ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA >>> ;; DEBUG: SHA-256 PIN: >>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= >>> ;; DEBUG: TLS, skipping certificate PIN check >>> ;; DEBUG: TLS, The certificate is trusted. >>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305) >>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679 >>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; >>> ADDITIONAL: 1 >>> >>> >>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), >>> server(81.3.27.54), port(853), protocol(TCP) >>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca- >>> bundle.crt' >>> ;; DEBUG: TLS, received certificate hierarchy: >>> ;; DEBUG: #1, CN=rec1.dns.lightningwirelabs.com >>> ;; DEBUG: SHA-256 PIN: >>> V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc= >>> ;; DEBUG: #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3 >>> ;; DEBUG: SHA-256 PIN: >>> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg= >>> ;; DEBUG: TLS, skipping certificate PIN check >>> ;; DEBUG: TLS, The certificate is trusted. >>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305) >>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685 >>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; >>> ADDITIONAL: 1 >>> >>> >>> >>> Lightningwirelabs uses on the old machine also ECDHE-X25519 , the >>> new >>> one only ECDHE-ECDSA-SECP256R1 . >>> >>> >>> What it makes even more worse is that i´d compiled origin/next a >>> couple >>> of days ago with the old OpenSSL patch to see if the problem comes >>> from >>> there but with the same results (no TLSv1.3). >>> >>> May the providers did disabled TLSv1.3 for a couple of days since >>> at >>> that time my old machine have had the same TLSv1.2 results ??? >>> >>> Am currently not sure what happens here. >>> >>> >>> Best, >>> >>> Erik >>> >>> >>> >>>> >>>> -Michael >>>> >>>>> On 10 Feb 2019, at 14:15, ummeegge wrote: >>>>> >>>>> Hi all, >>>>> did an fresh install from origin/next of Core 128 with the new >>>>> OpenSSL- >>>>> 1.1.1a . Have checked also DNS-over-TLS which works well but >>>>> kdig >>>>> points out that the TLS sessions operates only with TLSv1.2 >>>>> instaed >>>>> of >>>>> the new delivered TLSv1.3 . >>>>> >>>>> A test with Cloudflair (which uses TLSv1.3) looks like this --> >>>>> >>>>> kdig Test: >>>>> >>>>> >>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), >>>>> server(1.1.1.1), port(853), protocol(TCP) >>>>> ;; DEBUG: TLS, imported 135 certificates from >>>>> '/etc/ssl/certs/ca- >>>>> bundle.crt' >>>>> ;; DEBUG: TLS, received certificate hierarchy: >>>>> ;; DEBUG: #1, C=US,ST=California,L=San >>>>> Francisco,O=Cloudflare\, >>>>> Inc.,CN=cloudflare-dns.com >>>>> ;; DEBUG: SHA-256 PIN: >>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= >>>>> ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure >>>>> Server CA >>>>> ;; DEBUG: SHA-256 PIN: >>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= >>>>> ;; DEBUG: TLS, skipping certificate PIN check >>>>> ;; DEBUG: TLS, The certificate is trusted. >>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) >>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175 >>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; >>>>> ADDITIONAL: 1 >>>>> >>>>> ;; EDNS PSEUDOSECTION: >>>>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR >>>>> ;; PADDING: 239 B >>>>> >>>>> ;; QUESTION SECTION: >>>>> ;; www.isoc.org. IN A >>>>> >>>>> ;; ANSWER SECTION: >>>>> www.isoc.org. 300 IN A 46.43.36.222 >>>>> www.isoc.org. 300 IN RRSIG A 7 3 300 >>>>> 20190224085001 20190210085001 45830 isoc.org. >>>>> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0Nx >>>>> OGCP >>>>> OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPe >>>>> rUvt >>>>> l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ= >>>>> >>>>> ;; Received 468 B >>>>> ;; Time 2019-02-10 12:40:19 CET >>>>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms >>>>> >>>>> >>>>> >>>>> And a test with s_client: >>>>> >>>>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853 >>>>> CONNECTED(00000003) >>>>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = >>>>> DigiCert Global Root CA >>>>> verify return:1 >>>>> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure >>>>> Server >>>>> CA >>>>> verify return:1 >>>>> depth=0 C = US, ST = California, L = San Francisco, O = >>>>> "Cloudflare, Inc.", CN = cloudflare-dns.com >>>>> verify return:1 >>>>> --- >>>>> Certificate chain >>>>> 0 s:C = US, ST = California, L = San Francisco, O = >>>>> "Cloudflare, >>>>> Inc.", CN = cloudflare-dns.com >>>>> i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA >>>>> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server >>>>> CA >>>>> i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = >>>>> DigiCert >>>>> Global Root CA >>>>> --- >>>>> Server certificate >>>>> -----BEGIN CERTIFICATE----- >>>>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQs >>>>> w >>>>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWd >>>>> p >>>>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTA >>>>> y >>>>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRY >>>>> w >>>>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmM >>>>> u >>>>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkj >>>>> O >>>>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMu >>>>> P >>>>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53 >>>>> m >>>>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+ >>>>> g >>>>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJ >>>>> l >>>>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZ >>>>> H >>>>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAA >>>>> A >>>>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4A >>>>> w >>>>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCq >>>>> G >>>>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCq >>>>> G >>>>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0 >>>>> g >>>>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGl >>>>> n >>>>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQU >>>>> F >>>>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA >>>>> 6 >>>>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckN >>>>> B >>>>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgC >>>>> k >>>>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEU >>>>> C >>>>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2e >>>>> O >>>>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWD >>>>> B >>>>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs >>>>> / >>>>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALv >>>>> Z >>>>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgI >>>>> h >>>>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk >>>>> 7 >>>>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMu >>>>> r >>>>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz >>>>> 1 >>>>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ >>>>> -----END CERTIFICATE----- >>>>> subject=C = US, ST = California, L = San Francisco, O = >>>>> "Cloudflare, Inc.", CN = cloudflare-dns.com >>>>> >>>>> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure >>>>> Server CA >>>>> >>>>> --- >>>>> No client certificate CA names sent >>>>> Peer signing digest: SHA256 >>>>> Peer signature type: ECDSA >>>>> Server Temp Key: X25519, 253 bits >>>>> --- >>>>> SSL handshake has read 2787 bytes and written 421 bytes >>>>> Verification: OK >>>>> --- >>>>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 >>>>> Server public key is 256 bit >>>>> Secure Renegotiation IS NOT supported >>>>> Compression: NONE >>>>> Expansion: NONE >>>>> No ALPN negotiated >>>>> Early data was not sent >>>>> Verify return code: 0 (ok) >>>>> --- >>>>> --- >>>>> Post-Handshake New Session Ticket arrived: >>>>> SSL-Session: >>>>> Protocol : TLSv1.3 >>>>> Cipher : TLS_CHACHA20_POLY1305_SHA256 >>>>> Session-ID: >>>>> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C0 >>>>> 1 >>>>> Session-ID-ctx: >>>>> Resumption PSK: >>>>> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C >>>>> 7 >>>>> PSK identity: None >>>>> PSK identity hint: None >>>>> TLS session ticket lifetime hint: 21600 (seconds) >>>>> TLS session ticket: >>>>> 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 >>>>> 00 ................ >>>>> 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 >>>>> 6b ...........}...k >>>>> 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 >>>>> 23 ..1Uw..\.......# >>>>> 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 >>>>> 3d ....3]...u.hg.W= >>>>> 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 >>>>> ff .qk."......7bi.. >>>>> 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 >>>>> d9 Zx).........c... >>>>> 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e >>>>> cb ;.p8V.jC....].~. >>>>> 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 >>>>> 06 .c..1qa.D.....C. >>>>> 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 >>>>> 0e .....>.2....F... >>>>> 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 >>>>> 1b ty.$.\....,.K... >>>>> 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 >>>>> 07 }.=.jX.NA..).... >>>>> 00b0 - e1 92 dd 8d 44 >>>>> 69 ....Di >>>>> >>>>> Start Time: 1549799117 >>>>> Timeout : 7200 (sec) >>>>> Verify return code: 0 (ok) >>>>> Extended master secret: no >>>>> Max Early Data: 0 >>>>> --- >>>>> read R BLOCK >>>>> closed >>>>> >>>>> >>>>> Which seems strange to me since Cloudflair offers TLSv1.3 but >>>>> unbound initializes only TLSv1.2 . >>>>> >>>>> Have check all working DoT servers from here --> >>>>> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers >>>>> too, >>>>> but no TLSv1.3 at all... >>>>> >>>>> >>>>> Did someone have similar behaviors ? >>>>> >>>>> Best, >>>>> >>>>> Erik >>>>> >>>>> >>>>> >>>>> >>>> >>>> >> >> > --===============7111944099149455146==--