From: ummeegge <ummeegge@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound
Date: Tue, 05 Mar 2019 18:56:28 +0100 [thread overview]
Message-ID: <dcc8b99673d5e974a5cb7c9a24c3db7ff2afad1e.camel@ipfire.org> (raw)
In-Reply-To: <5DEFDAC6-908C-43EB-BC66-A7BD5835626A@ipfire.org>
[-- Attachment #1: Type: text/plain, Size: 19592 bytes --]
On Di, 2019-03-05 at 17:49 +0000, Michael Tremer wrote:
> > On 5 Mar 2019, at 17:33, ummeegge <ummeegge(a)ipfire.org> wrote:
> >
> > Hi Michael,
> > the current/actual development state can be found in here -->
> > https://forum.ipfire.org/viewtopic.php?f=50&t=21954#p120691
> > on both machines i have the same version running.
>
> That is a three page long thread...
:D tried to include the summary in the starting post. But OK i hear you
:-).
>
> > unbound.conf is default but have integrated '--qname-minimisation
> > strict' in forward.conf if Dot is in usage since a couple of weeks
> > now
> > for testing purposes (no bad feedback in the forum until now but
> > only
> > two testing feedbacks). Here, the same settings are on both
> > machines?!
>
> Probably best to ask the unbound devs then…
Probably yes!
Erik
>
> -Michael
>
> >
> > Best,
> >
> > Erik
> >
> > On Di, 2019-03-05 at 17:23 +0000, Michael Tremer wrote:
> > > Hey,
> > >
> > > Do you have any additional settings apart from the IPFire default
> > > unbound configuration?
> > >
> > > -Michael
> > >
> > > > On 5 Mar 2019, at 17:17, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > >
> > > > Hi all,
> > > > really was hoping that things are changing with the testings of
> > > > Core
> > > > 128 and was then happy to see that OpenSSL-1.1.1b addresses a
> > > > potential
> > > > problem/solution -->
> > > > https://www.openssl.org/news/changelog.html#x1
> > > > but it doesn´t...
> > > > Have currently Core 129 with unbound -1.9.0 and OpenSSL-1.1.1b
> > > > installed -->
> > > >
> > > > Version 1.9.0
> > > > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
> > > > 1.1.1b 26 Feb 2019
> > > > linked modules: dns64 respip validator iterator
> > > > BSD licensed, see LICENSE in source package for details.
> > > > Report bugs to unbound-bugs(a)nlnetlabs.nl
> > > >
> > > > but (only?) unbound uses no TLSv1.3 (curl and Apache does),
> > > > tested
> > > > with Quad9 and Cloudflare -->
> > > >
> > > >
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(9.9.9.9), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG: #1,
> > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > > > ;; DEBUG: SHA-256 PIN:
> > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG: SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted.
> > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-
> > > > POLY1305)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10011
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > >
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
> > > >
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org. IN A
> > > >
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org. 300 IN A 46.43.36.222
> > > > www.isoc.org. 300 IN RRSIG A 7 3 300
> > > > 20190319085001 20190305085001 54512 isoc.org.
> > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH
> > > > VCxD
> > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+
> > > > 7TYY
> > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> > > >
> > > > ;; Received 225 B
> > > > ;; Time 2019-03-05 18:09:18 CET
> > > > ;; From 9.9.9.9(a)853(TCP) in 142.4 ms
> > > >
> > > > Exit status: 0
> > > >
> > > > ===============================================================
> > > > ====
> > > > =====================================================
> > > >
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG: #1, C=US,ST=California,L=San
> > > > Francisco,O=Cloudflare\,
> > > > Inc.,CN=cloudflare-dns.com
> > > > ;; DEBUG: SHA-256 PIN:
> > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG: SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted.
> > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24241
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > >
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> > > > ;; PADDING: 239 B
> > > >
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org. IN A
> > > >
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org. 300 IN A 46.43.36.222
> > > > www.isoc.org. 300 IN RRSIG A 7 3 300
> > > > 20190319085001 20190305085001 54512 isoc.org.
> > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH
> > > > VCxD
> > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+
> > > > 7TYY
> > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> > > >
> > > > ;; Received 468 B
> > > > ;; Time 2019-03-05 18:09:24 CET
> > > > ;; From 1.1.1.1(a)853(TCP) in 19.3 ms
> > > >
> > > > Exit status: 0
> > > >
> > > >
> > > > whereby my "old" machine with unbound -->
> > > > Version 1.8.1
> > > > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
> > > > 1.1.1a 20 Nov 2018
> > > > linked modules: dns64 respip validator iterator
> > > > BSD licensed, see LICENSE in source package for details.
> > > > Report bugs to unbound-bugs(a)nlnetlabs.nl
> > > >
> > > > uses it -->
> > > >
> > > >
> > > >
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG: #1, C=US,ST=California,L=San
> > > > Francisco,O=Cloudflare\,
> > > > Inc.,CN=cloudflare-dns.com
> > > > ;; DEBUG: SHA-256 PIN:
> > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG: SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted.
> > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
> > > > SHA256)-
> > > > (AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5997
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > >
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> > > > ;; PADDING: 239 B
> > > >
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org. IN A
> > > >
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org. 158 IN A 46.43.36.222
> > > > www.isoc.org. 158 IN RRSIG A 7 3 300
> > > > 20190319085001 20190305085001 54512 isoc.org.
> > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH
> > > > VCxD
> > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+
> > > > 7TYY
> > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> > > >
> > > > ;; Received 468 B
> > > > ;; Time 2019-03-05 18:11:44 CET
> > > > ;; From 1.1.1.1(a)853(TCP) in 47.5 ms
> > > >
> > > > Exit status: 0
> > > >
> > > > ===============================================================
> > > > ====
> > > > ====
> > > >
> > > >
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(9.9.9.9), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG: #1,
> > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > > > ;; DEBUG: SHA-256 PIN:
> > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG: SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted.
> > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
> > > > SHA256)-
> > > > (AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13744
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > >
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
> > > >
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org. IN A
> > > >
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org. 300 IN A 46.43.36.222
> > > > www.isoc.org. 300 IN RRSIG A 7 3 300
> > > > 20190319085001 20190305085001 54512 isoc.org.
> > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH
> > > > VCxD
> > > > cDln
> > > > 9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY
> > > > 18yQ
> > > > inut
> > > > vZUvzobmUebXVPWhNsRPLHbb4tOeI=
> > > >
> > > > ;; Received 225 B
> > > > ;; Time 2019-03-05 18:11:44 CET
> > > > ;; From 9.9.9.9(a)853(TCP) in 286.9 ms
> > > >
> > > > Exit status: 0
> > > >
> > > >
> > > > Haven´t found until now a reason for this ! May someone else
> > > > did
> > > > some
> > > > tests/have_an_idea ?
> > > >
> > > >
> > > > Best,
> > > >
> > > > Erik
> > > >
> > > >
> > > >
> > > > On So, 2019-02-10 at 15:15 +0100, ummeegge wrote:
> > > > > Hi all,
> > > > > did an fresh install from origin/next of Core 128 with the
> > > > > new
> > > > > OpenSSL-
> > > > > 1.1.1a . Have checked also DNS-over-TLS which works well but
> > > > > kdig
> > > > > points out that the TLS sessions operates only with TLSv1.2
> > > > > instaed
> > > > > of
> > > > > the new delivered TLSv1.3 .
> > > > >
> > > > > A test with Cloudflair (which uses TLSv1.3) looks like this
> > > > > -->
> > > > >
> > > > > kdig Test:
> > > > >
> > > > >
> > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
> > > > > type(1),
> > > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > > '/etc/ssl/certs/ca-
> > > > > bundle.crt'
> > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > ;; DEBUG: #1, C=US,ST=California,L=San
> > > > > Francisco,O=Cloudflare\,
> > > > > Inc.,CN=cloudflare-dns.com
> > > > > ;; DEBUG: SHA-256 PIN:
> > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > > ;; DEBUG: SHA-256 PIN:
> > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > ;; DEBUG: TLS, The certificate is trusted.
> > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > > ADDITIONAL:
> > > > > 1
> > > > >
> > > > > ;; EDNS PSEUDOSECTION:
> > > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode:
> > > > > NOERROR
> > > > > ;; PADDING: 239 B
> > > > >
> > > > > ;; QUESTION SECTION:
> > > > > ;; www.isoc.org. IN A
> > > > >
> > > > > ;; ANSWER SECTION:
> > > > > www.isoc.org. 300 IN A 46.43.36.222
> > > > > www.isoc.org. 300 IN RRSIG A 7 3 300
> > > > > 20190224085001 20190210085001 45830 isoc.org.
> > > > > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0
> > > > > NxOG
> > > > > CPOZ
> > > > > SVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPe
> > > > > rUvt
> > > > > l0sH
> > > > > JnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> > > > >
> > > > > ;; Received 468 B
> > > > > ;; Time 2019-02-10 12:40:19 CET
> > > > > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> > > > >
> > > > >
> > > > >
> > > > > And a test with s_client:
> > > > >
> > > > > [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> > > > > CONNECTED(00000003)
> > > > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > > DigiCert Global Root CA
> > > > > verify return:1
> > > > > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > > verify return:1
> > > > > depth=0 C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare,
> > > > > Inc.", CN = cloudflare-dns.com
> > > > > verify return:1
> > > > > ---
> > > > > Certificate chain
> > > > > 0 s:C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare,
> > > > > Inc.", CN = cloudflare-dns.com
> > > > > i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > > > CA
> > > > > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > > > CA
> > > > > i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > > DigiCert
> > > > > Global Root CA
> > > > > ---
> > > > > Server certificate
> > > > > -----BEGIN CERTIFICATE-----
> > > > > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMM
> > > > > Qsw
> > > > > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1Ea
> > > > > Wdp
> > > > > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yM
> > > > > TAy
> > > > > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhM
> > > > > RYw
> > > > > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJb
> > > > > mMu
> > > > > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqh
> > > > > kjO
> > > > > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3u
> > > > > MuP
> > > > > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo
> > > > > 53m
> > > > > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoR
> > > > > X+g
> > > > > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsY
> > > > > XJl
> > > > > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJ
> > > > > gZH
> > > > > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAA
> > > > > AAA
> > > > > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB
> > > > > 4Aw
> > > > > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAso
> > > > > CqG
> > > > > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAso
> > > > > CqG
> > > > > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDV
> > > > > R0g
> > > > > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZ
> > > > > Gln
> > > > > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGA
> > > > > QUF
> > > > > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0d
> > > > > HA6
> > > > > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlc
> > > > > kNB
> > > > > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAd
> > > > > gCk
> > > > > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHM
> > > > > EUC
> > > > > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm
> > > > > 2eO
> > > > > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9Kt
> > > > > WDB
> > > > > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7x
> > > > > Os/
> > > > > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3A
> > > > > LvZ
> > > > > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwR
> > > > > gIh
> > > > > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxv
> > > > > rk7
> > > > > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HT
> > > > > Mur
> > > > > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5j
> > > > > dz1
> > > > > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> > > > > -----END CERTIFICATE-----
> > > > > subject=C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare,
> > > > > Inc.", CN = cloudflare-dns.com
> > > > >
> > > > > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > >
> > > > > ---
> > > > > No client certificate CA names sent
> > > > > Peer signing digest: SHA256
> > > > > Peer signature type: ECDSA
> > > > > Server Temp Key: X25519, 253 bits
> > > > > ---
> > > > > SSL handshake has read 2787 bytes and written 421 bytes
> > > > > Verification: OK
> > > > > ---
> > > > > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> > > > > Server public key is 256 bit
> > > > > Secure Renegotiation IS NOT supported
> > > > > Compression: NONE
> > > > > Expansion: NONE
> > > > > No ALPN negotiated
> > > > > Early data was not sent
> > > > > Verify return code: 0 (ok)
> > > > > ---
> > > > > ---
> > > > > Post-Handshake New Session Ticket arrived:
> > > > > SSL-Session:
> > > > > Protocol : TLSv1.3
> > > > > Cipher : TLS_CHACHA20_POLY1305_SHA256
> > > > > Session-ID:
> > > > > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735
> > > > > C01
> > > > > Session-ID-ctx:
> > > > > Resumption PSK:
> > > > > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA48
> > > > > 0C7
> > > > > PSK identity: None
> > > > > PSK identity hint: None
> > > > > TLS session ticket lifetime hint: 21600 (seconds)
> > > > > TLS session ticket:
> > > > > 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> > > > > 00 ................
> > > > > 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> > > > > 6b ...........}...k
> > > > > 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> > > > > 23 ..1Uw..\.......#
> > > > > 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> > > > > 3d ....3]...u.hg.W=
> > > > > 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> > > > > ff .qk."......7bi..
> > > > > 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> > > > > d9 Zx).........c...
> > > > > 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> > > > > cb ;.p8V.jC....].~.
> > > > > 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> > > > > 06 .c..1qa.D.....C.
> > > > > 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> > > > > 0e .....>.2....F...
> > > > > 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> > > > > 1b ty.$.\....,.K...
> > > > > 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> > > > > 07 }.=.jX.NA..)....
> > > > > 00b0 - e1 92 dd 8d 44
> > > > > 69 ....Di
> > > > >
> > > > > Start Time: 1549799117
> > > > > Timeout : 7200 (sec)
> > > > > Verify return code: 0 (ok)
> > > > > Extended master secret: no
> > > > > Max Early Data: 0
> > > > > ---
> > > > > read R BLOCK
> > > > > closed
> > > > >
> > > > >
> > > > > Which seems strange to me since Cloudflair offers TLSv1.3 but
> > > > > unbound
> > > > > initializes only TLSv1.2 .
> > > > >
> > > > > Have check all working DoT servers from here -->
> > > > >
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> > > > > too,
> > > > > but no TLSv1.3 at all...
> > > > >
> > > > >
> > > > > Did someone have similar behaviors ?
> > > > >
> > > > > Best,
> > > > >
> > > > > Erik
> > > > >
> > > > >
> > > > >
> > > > >
> > >
> > >
>
>
next parent reply other threads:[~2019-03-05 17:56 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5DEFDAC6-908C-43EB-BC66-A7BD5835626A@ipfire.org>
2019-03-05 17:56 ` ummeegge [this message]
2019-02-10 14:15 ummeegge
2019-02-13 18:05 ` Michael Tremer
2019-02-13 19:40 ` Peter Müller
2019-02-14 7:24 ` ummeegge
2019-02-14 11:11 ` Michael Tremer
2019-02-14 11:31 ` ummeegge
2019-03-07 4:16 ` ummeegge
2019-03-07 8:54 ` Michael Tremer
2019-03-07 9:05 ` ummeegge
2019-05-24 5:50 ` ummeegge
2019-02-14 6:57 ` ummeegge
2019-02-14 11:08 ` Michael Tremer
2019-02-14 11:28 ` ummeegge
2019-02-14 11:31 ` Michael Tremer
2019-02-14 14:18 ` ummeegge
2019-02-14 15:01 ` Michael Tremer
2019-02-14 15:18 ` ummeegge
2019-02-15 14:17 ` ummeegge
2019-03-05 17:17 ` ummeegge
2019-03-05 17:23 ` Michael Tremer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dcc8b99673d5e974a5cb7c9a24c3db7ff2afad1e.camel@ipfire.org \
--to=ummeegge@ipfire.org \
--cc=development@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox