From mboxrd@z Thu Jan 1 00:00:00 1970 From: ummeegge To: development@lists.ipfire.org Subject: Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound Date: Tue, 05 Mar 2019 18:56:28 +0100 Message-ID: In-Reply-To: <5DEFDAC6-908C-43EB-BC66-A7BD5835626A@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============3168251507065988003==" List-Id: --===============3168251507065988003== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit On Di, 2019-03-05 at 17:49 +0000, Michael Tremer wrote: > > On 5 Mar 2019, at 17:33, ummeegge wrote: > > > > Hi Michael, > > the current/actual development state can be found in here --> > > https://forum.ipfire.org/viewtopic.php?f=50&t=21954#p120691 > > on both machines i have the same version running. > > That is a three page long thread... :D tried to include the summary in the starting post. But OK i hear you :-). > > > unbound.conf is default but have integrated '--qname-minimisation > > strict' in forward.conf if Dot is in usage since a couple of weeks > > now > > for testing purposes (no bad feedback in the forum until now but > > only > > two testing feedbacks). Here, the same settings are on both > > machines?! > > Probably best to ask the unbound devs then… Probably yes! Erik > > -Michael > > > > > Best, > > > > Erik > > > > On Di, 2019-03-05 at 17:23 +0000, Michael Tremer wrote: > > > Hey, > > > > > > Do you have any additional settings apart from the IPFire default > > > unbound configuration? > > > > > > -Michael > > > > > > > On 5 Mar 2019, at 17:17, ummeegge wrote: > > > > > > > > Hi all, > > > > really was hoping that things are changing with the testings of > > > > Core > > > > 128 and was then happy to see that OpenSSL-1.1.1b addresses a > > > > potential > > > > problem/solution --> > > > > https://www.openssl.org/news/changelog.html#x1 > > > > but it doesn´t... > > > > Have currently Core 129 with unbound -1.9.0 and OpenSSL-1.1.1b > > > > installed --> > > > > > > > > Version 1.9.0 > > > > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL > > > > 1.1.1b 26 Feb 2019 > > > > linked modules: dns64 respip validator iterator > > > > BSD licensed, see LICENSE in source package for details. > > > > Report bugs to unbound-bugs(a)nlnetlabs.nl > > > > > > > > but (only?) unbound uses no TLSv1.3 (curl and Apache does), > > > > tested > > > > with Quad9 and Cloudflare --> > > > > > > > > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), > > > > server(9.9.9.9), port(853), protocol(TCP) > > > > ;; DEBUG: TLS, imported 135 certificates from > > > > '/etc/ssl/certs/ca- > > > > bundle.crt' > > > > ;; DEBUG: TLS, received certificate hierarchy: > > > > ;; DEBUG: #1, > > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net > > > > ;; DEBUG: SHA-256 PIN: > > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= > > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure > > > > Server CA > > > > ;; DEBUG: SHA-256 PIN: > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= > > > > ;; DEBUG: TLS, skipping certificate PIN check > > > > ;; DEBUG: TLS, The certificate is trusted. > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20- > > > > POLY1305) > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10011 > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; > > > > ADDITIONAL: 1 > > > > > > > > ;; EDNS PSEUDOSECTION: > > > > ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR > > > > > > > > ;; QUESTION SECTION: > > > > ;; www.isoc.org. IN A > > > > > > > > ;; ANSWER SECTION: > > > > www.isoc.org. 300 IN A 46.43.36.222 > > > > www.isoc.org. 300 IN RRSIG A 7 3 300 > > > > 20190319085001 20190305085001 54512 isoc.org. > > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH > > > > VCxD > > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+ > > > > 7TYY > > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI= > > > > > > > > ;; Received 225 B > > > > ;; Time 2019-03-05 18:09:18 CET > > > > ;; From 9.9.9.9(a)853(TCP) in 142.4 ms > > > > > > > > Exit status: 0 > > > > > > > > =============================================================== > > > > ==== > > > > ===================================================== > > > > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), > > > > server(1.1.1.1), port(853), protocol(TCP) > > > > ;; DEBUG: TLS, imported 135 certificates from > > > > '/etc/ssl/certs/ca- > > > > bundle.crt' > > > > ;; DEBUG: TLS, received certificate hierarchy: > > > > ;; DEBUG: #1, C=US,ST=California,L=San > > > > Francisco,O=Cloudflare\, > > > > Inc.,CN=cloudflare-dns.com > > > > ;; DEBUG: SHA-256 PIN: > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= > > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure > > > > Server CA > > > > ;; DEBUG: SHA-256 PIN: > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= > > > > ;; DEBUG: TLS, skipping certificate PIN check > > > > ;; DEBUG: TLS, The certificate is trusted. > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24241 > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; > > > > ADDITIONAL: 1 > > > > > > > > ;; EDNS PSEUDOSECTION: > > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR > > > > ;; PADDING: 239 B > > > > > > > > ;; QUESTION SECTION: > > > > ;; www.isoc.org. IN A > > > > > > > > ;; ANSWER SECTION: > > > > www.isoc.org. 300 IN A 46.43.36.222 > > > > www.isoc.org. 300 IN RRSIG A 7 3 300 > > > > 20190319085001 20190305085001 54512 isoc.org. > > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH > > > > VCxD > > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+ > > > > 7TYY > > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI= > > > > > > > > ;; Received 468 B > > > > ;; Time 2019-03-05 18:09:24 CET > > > > ;; From 1.1.1.1(a)853(TCP) in 19.3 ms > > > > > > > > Exit status: 0 > > > > > > > > > > > > whereby my "old" machine with unbound --> > > > > Version 1.8.1 > > > > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL > > > > 1.1.1a 20 Nov 2018 > > > > linked modules: dns64 respip validator iterator > > > > BSD licensed, see LICENSE in source package for details. > > > > Report bugs to unbound-bugs(a)nlnetlabs.nl > > > > > > > > uses it --> > > > > > > > > > > > > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), > > > > server(1.1.1.1), port(853), protocol(TCP) > > > > ;; DEBUG: TLS, imported 128 certificates from > > > > '/etc/ssl/certs/ca- > > > > bundle.crt' > > > > ;; DEBUG: TLS, received certificate hierarchy: > > > > ;; DEBUG: #1, C=US,ST=California,L=San > > > > Francisco,O=Cloudflare\, > > > > Inc.,CN=cloudflare-dns.com > > > > ;; DEBUG: SHA-256 PIN: > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= > > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure > > > > Server CA > > > > ;; DEBUG: SHA-256 PIN: > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= > > > > ;; DEBUG: TLS, skipping certificate PIN check > > > > ;; DEBUG: TLS, The certificate is trusted. > > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1- > > > > SHA256)- > > > > (AES-256-GCM) > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5997 > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; > > > > ADDITIONAL: 1 > > > > > > > > ;; EDNS PSEUDOSECTION: > > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR > > > > ;; PADDING: 239 B > > > > > > > > ;; QUESTION SECTION: > > > > ;; www.isoc.org. IN A > > > > > > > > ;; ANSWER SECTION: > > > > www.isoc.org. 158 IN A 46.43.36.222 > > > > www.isoc.org. 158 IN RRSIG A 7 3 300 > > > > 20190319085001 20190305085001 54512 isoc.org. > > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH > > > > VCxD > > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+ > > > > 7TYY > > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI= > > > > > > > > ;; Received 468 B > > > > ;; Time 2019-03-05 18:11:44 CET > > > > ;; From 1.1.1.1(a)853(TCP) in 47.5 ms > > > > > > > > Exit status: 0 > > > > > > > > =============================================================== > > > > ==== > > > > ==== > > > > > > > > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), > > > > server(9.9.9.9), port(853), protocol(TCP) > > > > ;; DEBUG: TLS, imported 128 certificates from > > > > '/etc/ssl/certs/ca- > > > > bundle.crt' > > > > ;; DEBUG: TLS, received certificate hierarchy: > > > > ;; DEBUG: #1, > > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net > > > > ;; DEBUG: SHA-256 PIN: > > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg= > > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure > > > > Server CA > > > > ;; DEBUG: SHA-256 PIN: > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= > > > > ;; DEBUG: TLS, skipping certificate PIN check > > > > ;; DEBUG: TLS, The certificate is trusted. > > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1- > > > > SHA256)- > > > > (AES-256-GCM) > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13744 > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; > > > > ADDITIONAL: 1 > > > > > > > > ;; EDNS PSEUDOSECTION: > > > > ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR > > > > > > > > ;; QUESTION SECTION: > > > > ;; www.isoc.org. IN A > > > > > > > > ;; ANSWER SECTION: > > > > www.isoc.org. 300 IN A 46.43.36.222 > > > > www.isoc.org. 300 IN RRSIG A 7 3 300 > > > > 20190319085001 20190305085001 54512 isoc.org. > > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH > > > > VCxD > > > > cDln > > > > 9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY > > > > 18yQ > > > > inut > > > > vZUvzobmUebXVPWhNsRPLHbb4tOeI= > > > > > > > > ;; Received 225 B > > > > ;; Time 2019-03-05 18:11:44 CET > > > > ;; From 9.9.9.9(a)853(TCP) in 286.9 ms > > > > > > > > Exit status: 0 > > > > > > > > > > > > Haven´t found until now a reason for this ! May someone else > > > > did > > > > some > > > > tests/have_an_idea ? > > > > > > > > > > > > Best, > > > > > > > > Erik > > > > > > > > > > > > > > > > On So, 2019-02-10 at 15:15 +0100, ummeegge wrote: > > > > > Hi all, > > > > > did an fresh install from origin/next of Core 128 with the > > > > > new > > > > > OpenSSL- > > > > > 1.1.1a . Have checked also DNS-over-TLS which works well but > > > > > kdig > > > > > points out that the TLS sessions operates only with TLSv1.2 > > > > > instaed > > > > > of > > > > > the new delivered TLSv1.3 . > > > > > > > > > > A test with Cloudflair (which uses TLSv1.3) looks like this > > > > > --> > > > > > > > > > > kdig Test: > > > > > > > > > > > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), > > > > > type(1), > > > > > server(1.1.1.1), port(853), protocol(TCP) > > > > > ;; DEBUG: TLS, imported 135 certificates from > > > > > '/etc/ssl/certs/ca- > > > > > bundle.crt' > > > > > ;; DEBUG: TLS, received certificate hierarchy: > > > > > ;; DEBUG: #1, C=US,ST=California,L=San > > > > > Francisco,O=Cloudflare\, > > > > > Inc.,CN=cloudflare-dns.com > > > > > ;; DEBUG: SHA-256 PIN: > > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU= > > > > > ;; DEBUG: #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure > > > > > Server > > > > > CA > > > > > ;; DEBUG: SHA-256 PIN: > > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw= > > > > > ;; DEBUG: TLS, skipping certificate PIN check > > > > > ;; DEBUG: TLS, The certificate is trusted. > > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM) > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175 > > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; > > > > > ADDITIONAL: > > > > > 1 > > > > > > > > > > ;; EDNS PSEUDOSECTION: > > > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: > > > > > NOERROR > > > > > ;; PADDING: 239 B > > > > > > > > > > ;; QUESTION SECTION: > > > > > ;; www.isoc.org. IN A > > > > > > > > > > ;; ANSWER SECTION: > > > > > www.isoc.org. 300 IN A 46.43.36.222 > > > > > www.isoc.org. 300 IN RRSIG A 7 3 300 > > > > > 20190224085001 20190210085001 45830 isoc.org. > > > > > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0 > > > > > NxOG > > > > > CPOZ > > > > > SVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPe > > > > > rUvt > > > > > l0sH > > > > > JnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ= > > > > > > > > > > ;; Received 468 B > > > > > ;; Time 2019-02-10 12:40:19 CET > > > > > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms > > > > > > > > > > > > > > > > > > > > And a test with s_client: > > > > > > > > > > [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853 > > > > > CONNECTED(00000003) > > > > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = > > > > > DigiCert Global Root CA > > > > > verify return:1 > > > > > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure > > > > > Server > > > > > CA > > > > > verify return:1 > > > > > depth=0 C = US, ST = California, L = San Francisco, O = > > > > > "Cloudflare, > > > > > Inc.", CN = cloudflare-dns.com > > > > > verify return:1 > > > > > --- > > > > > Certificate chain > > > > > 0 s:C = US, ST = California, L = San Francisco, O = > > > > > "Cloudflare, > > > > > Inc.", CN = cloudflare-dns.com > > > > > i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server > > > > > CA > > > > > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server > > > > > CA > > > > > i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = > > > > > DigiCert > > > > > Global Root CA > > > > > --- > > > > > Server certificate > > > > > -----BEGIN CERTIFICATE----- > > > > > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMM > > > > > Qsw > > > > > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1Ea > > > > > Wdp > > > > > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yM > > > > > TAy > > > > > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhM > > > > > RYw > > > > > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJb > > > > > mMu > > > > > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqh > > > > > kjO > > > > > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3u > > > > > MuP > > > > > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo > > > > > 53m > > > > > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoR > > > > > X+g > > > > > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsY > > > > > XJl > > > > > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJ > > > > > gZH > > > > > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAA > > > > > AAA > > > > > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB > > > > > 4Aw > > > > > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAso > > > > > CqG > > > > > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAso > > > > > CqG > > > > > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDV > > > > > R0g > > > > > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZ > > > > > Gln > > > > > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGA > > > > > QUF > > > > > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0d > > > > > HA6 > > > > > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlc > > > > > kNB > > > > > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAd > > > > > gCk > > > > > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHM > > > > > EUC > > > > > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm > > > > > 2eO > > > > > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9Kt > > > > > WDB > > > > > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7x > > > > > Os/ > > > > > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3A > > > > > LvZ > > > > > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwR > > > > > gIh > > > > > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxv > > > > > rk7 > > > > > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HT > > > > > Mur > > > > > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5j > > > > > dz1 > > > > > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ > > > > > -----END CERTIFICATE----- > > > > > subject=C = US, ST = California, L = San Francisco, O = > > > > > "Cloudflare, > > > > > Inc.", CN = cloudflare-dns.com > > > > > > > > > > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure > > > > > Server > > > > > CA > > > > > > > > > > --- > > > > > No client certificate CA names sent > > > > > Peer signing digest: SHA256 > > > > > Peer signature type: ECDSA > > > > > Server Temp Key: X25519, 253 bits > > > > > --- > > > > > SSL handshake has read 2787 bytes and written 421 bytes > > > > > Verification: OK > > > > > --- > > > > > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256 > > > > > Server public key is 256 bit > > > > > Secure Renegotiation IS NOT supported > > > > > Compression: NONE > > > > > Expansion: NONE > > > > > No ALPN negotiated > > > > > Early data was not sent > > > > > Verify return code: 0 (ok) > > > > > --- > > > > > --- > > > > > Post-Handshake New Session Ticket arrived: > > > > > SSL-Session: > > > > > Protocol : TLSv1.3 > > > > > Cipher : TLS_CHACHA20_POLY1305_SHA256 > > > > > Session-ID: > > > > > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735 > > > > > C01 > > > > > Session-ID-ctx: > > > > > Resumption PSK: > > > > > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA48 > > > > > 0C7 > > > > > PSK identity: None > > > > > PSK identity hint: None > > > > > TLS session ticket lifetime hint: 21600 (seconds) > > > > > TLS session ticket: > > > > > 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 > > > > > 00 ................ > > > > > 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 > > > > > 6b ...........}...k > > > > > 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 > > > > > 23 ..1Uw..\.......# > > > > > 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 > > > > > 3d ....3]...u.hg.W= > > > > > 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 > > > > > ff .qk."......7bi.. > > > > > 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 > > > > > d9 Zx).........c... > > > > > 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e > > > > > cb ;.p8V.jC....].~. > > > > > 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 > > > > > 06 .c..1qa.D.....C. > > > > > 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 > > > > > 0e .....>.2....F... > > > > > 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 > > > > > 1b ty.$.\....,.K... > > > > > 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 > > > > > 07 }.=.jX.NA..).... > > > > > 00b0 - e1 92 dd 8d 44 > > > > > 69 ....Di > > > > > > > > > > Start Time: 1549799117 > > > > > Timeout : 7200 (sec) > > > > > Verify return code: 0 (ok) > > > > > Extended master secret: no > > > > > Max Early Data: 0 > > > > > --- > > > > > read R BLOCK > > > > > closed > > > > > > > > > > > > > > > Which seems strange to me since Cloudflair offers TLSv1.3 but > > > > > unbound > > > > > initializes only TLSv1.2 . > > > > > > > > > > Have check all working DoT servers from here --> > > > > > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers > > > > > too, > > > > > but no TLSv1.3 at all... > > > > > > > > > > > > > > > Did someone have similar behaviors ? > > > > > > > > > > Best, > > > > > > > > > > Erik > > > > > > > > > > > > > > > > > > > > > > > > > > > > --===============3168251507065988003==--