From: "Peter Müller" <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound
Date: Wed, 13 Feb 2019 19:40:00 +0000 [thread overview]
Message-ID: <b01e137d-d2f9-d2ba-ffaf-aaaf670e1548@ipfire.org> (raw)
In-Reply-To: <B47111D3-D028-4BA9-8EDB-0239E36B8396@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 8478 bytes --]
Hello Michael, hello Erik,
sorry for the long delay here. :-\
I noticed the AESCCM issue with Unbound, and will have a look
at it (never observed these ciphers in the wild - i.e. web and mail
traffic - but that does not mean anything here).
At the moment, I do not have an idea what is going wrong
here (currently using 127-stable).
P.S.: It's CloudFlare, not Cloudflair. :-)
P.P.S.: Thank you for the DoT server list. I will update the Wiki page.
Thanks, and best regards,
Peter Müller
> Hi,
>
> This is a bit weird.
>
> Does the version of unbound support TLS 1.3? We had to update Apache to support TLS 1.3 and we had to just rebuild haproxy to support it, too. Since you are running a build of unbound that was built against OpenSSL 1.1.1 I would say the latter isn’t likely.
>
> -Michael
>
>> On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
>>
>> Hi all,
>> did an fresh install from origin/next of Core 128 with the new OpenSSL-
>> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
>> points out that the TLS sessions operates only with TLSv1.2 instaed of
>> the new delivered TLSv1.3 .
>>
>> A test with Cloudflair (which uses TLSv1.3) looks like this -->
>>
>> kdig Test:
>>
>>
>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
>> ;; DEBUG: TLS, received certificate hierarchy:
>> ;; DEBUG: #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
>> ;; DEBUG: SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>> ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
>> ;; DEBUG: SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>> ;; DEBUG: TLS, skipping certificate PIN check
>> ;; DEBUG: TLS, The certificate is trusted.
>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
>>
>> ;; EDNS PSEUDOSECTION:
>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
>> ;; PADDING: 239 B
>>
>> ;; QUESTION SECTION:
>> ;; www.isoc.org. IN A
>>
>> ;; ANSWER SECTION:
>> www.isoc.org. 300 IN A 46.43.36.222
>> www.isoc.org. 300 IN RRSIG A 7 3 300 20190224085001 20190210085001 45830 isoc.org. g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
>>
>> ;; Received 468 B
>> ;; Time 2019-02-10 12:40:19 CET
>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
>>
>>
>>
>> And a test with s_client:
>>
>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
>> CONNECTED(00000003)
>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
>> verify return:1
>> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>> verify return:1
>> depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
>> i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>> i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
>> -----END CERTIFICATE-----
>> subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
>>
>> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>
>> ---
>> No client certificate CA names sent
>> Peer signing digest: SHA256
>> Peer signature type: ECDSA
>> Server Temp Key: X25519, 253 bits
>> ---
>> SSL handshake has read 2787 bytes and written 421 bytes
>> Verification: OK
>> ---
>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
>> Server public key is 256 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 0 (ok)
>> ---
>> ---
>> Post-Handshake New Session Ticket arrived:
>> SSL-Session:
>> Protocol : TLSv1.3
>> Cipher : TLS_CHACHA20_POLY1305_SHA256
>> Session-ID: FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
>> Session-ID-ctx:
>> Resumption PSK: 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
>> PSK identity: None
>> PSK identity hint: None
>> TLS session ticket lifetime hint: 21600 (seconds)
>> TLS session ticket:
>> 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
>> 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 6b ...........}...k
>> 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 23 ..1Uw..\.......#
>> 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 3d ....3]...u.hg.W=
>> 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 ff .qk."......7bi..
>> 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 d9 Zx).........c...
>> 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e cb ;.p8V.jC....].~.
>> 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 06 .c..1qa.D.....C.
>> 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 0e .....>.2....F...
>> 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 1b ty.$.\....,.K...
>> 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 07 }.=.jX.NA..)....
>> 00b0 - e1 92 dd 8d 44 69 ....Di
>>
>> Start Time: 1549799117
>> Timeout : 7200 (sec)
>> Verify return code: 0 (ok)
>> Extended master secret: no
>> Max Early Data: 0
>> ---
>> read R BLOCK
>> closed
>>
>>
>> Which seems strange to me since Cloudflair offers TLSv1.3 but unbound initializes only TLSv1.2 .
>>
>> Have check all working DoT servers from here --> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too,
>> but no TLSv1.3 at all...
>>
>>
>> Did someone have similar behaviors ?
>>
>> Best,
>>
>> Erik
next prev parent reply other threads:[~2019-02-13 19:40 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-10 14:15 ummeegge
2019-02-13 18:05 ` Michael Tremer
2019-02-13 19:40 ` Peter Müller [this message]
2019-02-14 7:24 ` ummeegge
2019-02-14 11:11 ` Michael Tremer
2019-02-14 11:31 ` ummeegge
2019-03-07 4:16 ` ummeegge
2019-03-07 8:54 ` Michael Tremer
2019-03-07 9:05 ` ummeegge
2019-05-24 5:50 ` ummeegge
2019-02-14 6:57 ` ummeegge
2019-02-14 11:08 ` Michael Tremer
2019-02-14 11:28 ` ummeegge
2019-02-14 11:31 ` Michael Tremer
2019-02-14 14:18 ` ummeegge
2019-02-14 15:01 ` Michael Tremer
2019-02-14 15:18 ` ummeegge
2019-02-15 14:17 ` ummeegge
2019-03-05 17:17 ` ummeegge
2019-03-05 17:23 ` Michael Tremer
[not found] <5DEFDAC6-908C-43EB-BC66-A7BD5835626A@ipfire.org>
2019-03-05 17:56 ` ummeegge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b01e137d-d2f9-d2ba-ffaf-aaaf670e1548@ipfire.org \
--to=peter.mueller@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox