Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 19592 bytes --]

On Di, 2019-03-05 at 17:49 +0000, Michael Tremer wrote:
> > On 5 Mar 2019, at 17:33, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi Michael,
> > the current/actual development state can be found in here -->
> > https://forum.ipfire.org/viewtopic.php?f=50&t=21954#p120691
> > on both machines i have the same version running.
> 
> That is a three page long thread...
:D tried to include the summary in the starting post. But OK i hear you
:-).


> 
> > unbound.conf is default but have integrated '--qname-minimisation
> > strict' in forward.conf if Dot is in usage since a couple of weeks
> > now
> > for testing purposes (no bad feedback in the forum until now but
> > only
> > two testing feedbacks). Here, the same settings are on both
> > machines?!
> 
> Probably best to ask the unbound devs then…
Probably yes!

Erik

> 
> -Michael
> 
> > 
> > Best,
> > 
> > Erik
> > 
> > On Di, 2019-03-05 at 17:23 +0000, Michael Tremer wrote:
> > > Hey,
> > > 
> > > Do you have any additional settings apart from the IPFire default
> > > unbound configuration?
> > > 
> > > -Michael
> > > 
> > > > On 5 Mar 2019, at 17:17, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > > 
> > > > Hi all,
> > > > really was hoping that things are changing with the testings of
> > > > Core
> > > > 128 and was then happy to see that OpenSSL-1.1.1b addresses a
> > > > potential
> > > > problem/solution  --> 
> > > > https://www.openssl.org/news/changelog.html#x1
> > > > but it doesn´t...
> > > > Have currently Core 129 with unbound -1.9.0 and OpenSSL-1.1.1b
> > > > installed -->
> > > > 
> > > > Version 1.9.0
> > > > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
> > > > 1.1.1b  26 Feb 2019
> > > > linked modules: dns64 respip validator iterator
> > > > BSD licensed, see LICENSE in source package for details.
> > > > Report bugs to unbound-bugs(a)nlnetlabs.nl
> > > > 
> > > > but (only?) unbound uses no TLSv1.3 (curl and Apache does),
> > > > tested
> > > > with Quad9 and Cloudflare -->
> > > > 
> > > > 
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(9.9.9.9), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1,
> > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-
> > > > POLY1305)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10011
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > > 
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
> > > > 
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org.       		IN	A
> > > > 
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org.       	300	IN	A	46.43.36.222
> > > > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > > > 20190319085001 20190305085001 54512 isoc.org.
> > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH
> > > > VCxD
> > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+
> > > > 7TYY
> > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> > > > 
> > > > ;; Received 225 B
> > > > ;; Time 2019-03-05 18:09:18 CET
> > > > ;; From 9.9.9.9(a)853(TCP) in 142.4 ms
> > > > 
> > > > Exit status: 0
> > > > 
> > > > ===============================================================
> > > > ====
> > > > =====================================================
> > > > 
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > Francisco,O=Cloudflare\,
> > > > Inc.,CN=cloudflare-dns.com
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24241
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > > 
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> > > > ;; PADDING: 239 B
> > > > 
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org.       		IN	A
> > > > 
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org.       	300	IN	A	46.43.36.222
> > > > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > > > 20190319085001 20190305085001 54512 isoc.org.
> > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH
> > > > VCxD
> > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+
> > > > 7TYY
> > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> > > > 
> > > > ;; Received 468 B
> > > > ;; Time 2019-03-05 18:09:24 CET
> > > > ;; From 1.1.1.1(a)853(TCP) in 19.3 ms
> > > > 
> > > > Exit status: 0
> > > > 
> > > > 
> > > > whereby my "old" machine with unbound -->
> > > > Version 1.8.1
> > > > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
> > > > 1.1.1a  20 Nov 2018
> > > > linked modules: dns64 respip validator iterator
> > > > BSD licensed, see LICENSE in source package for details.
> > > > Report bugs to unbound-bugs(a)nlnetlabs.nl
> > > > 
> > > > uses it -->
> > > > 
> > > > 
> > > > 
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > Francisco,O=Cloudflare\,
> > > > Inc.,CN=cloudflare-dns.com
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
> > > > SHA256)-
> > > > (AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5997
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > > 
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> > > > ;; PADDING: 239 B
> > > > 
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org.       		IN	A
> > > > 
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org.       	158	IN	A	46.43.36.222
> > > > www.isoc.org.       	158	IN	RRSIG	A 7 3 300
> > > > 20190319085001 20190305085001 54512 isoc.org.
> > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH
> > > > VCxD
> > > > cDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+
> > > > 7TYY
> > > > 18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> > > > 
> > > > ;; Received 468 B
> > > > ;; Time 2019-03-05 18:11:44 CET
> > > > ;; From 1.1.1.1(a)853(TCP) in 47.5 ms
> > > > 
> > > > Exit status: 0
> > > > 
> > > > ===============================================================
> > > > ====
> > > > ====
> > > > 
> > > > 
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(9.9.9.9), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1,
> > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
> > > > SHA256)-
> > > > (AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13744
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > > 
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
> > > > 
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org.       		IN	A
> > > > 
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org.       	300	IN	A	46.43.36.222
> > > > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > > > 20190319085001 20190305085001 54512 isoc.org.
> > > > Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCH
> > > > VCxD
> > > > cDln
> > > > 9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY
> > > > 18yQ
> > > > inut
> > > > vZUvzobmUebXVPWhNsRPLHbb4tOeI=
> > > > 
> > > > ;; Received 225 B
> > > > ;; Time 2019-03-05 18:11:44 CET
> > > > ;; From 9.9.9.9(a)853(TCP) in 286.9 ms
> > > > 
> > > > Exit status: 0
> > > > 
> > > > 
> > > > Haven´t found until now a reason for this ! May someone else
> > > > did
> > > > some
> > > > tests/have_an_idea ?
> > > > 
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> > > > 
> > > > 
> > > > 
> > > > On So, 2019-02-10 at 15:15 +0100, ummeegge wrote:
> > > > > Hi all,
> > > > > did an fresh install from origin/next of Core 128 with the
> > > > > new
> > > > > OpenSSL-
> > > > > 1.1.1a . Have checked also DNS-over-TLS which works well but
> > > > > kdig
> > > > > points out that the TLS sessions operates only with TLSv1.2
> > > > > instaed
> > > > > of
> > > > > the new delivered TLSv1.3 .
> > > > > 
> > > > > A test with Cloudflair (which uses TLSv1.3) looks like this
> > > > > -->
> > > > > 
> > > > > kdig Test:
> > > > > 
> > > > > 
> > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
> > > > > type(1),
> > > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > > '/etc/ssl/certs/ca-
> > > > > bundle.crt'
> > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > > Francisco,O=Cloudflare\,
> > > > > Inc.,CN=cloudflare-dns.com
> > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > > ADDITIONAL:
> > > > > 1
> > > > > 
> > > > > ;; EDNS PSEUDOSECTION:
> > > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode:
> > > > > NOERROR
> > > > > ;; PADDING: 239 B
> > > > > 
> > > > > ;; QUESTION SECTION:
> > > > > ;; www.isoc.org.       		IN	A
> > > > > 
> > > > > ;; ANSWER SECTION:
> > > > > www.isoc.org.       	300	IN	A	46.43.36.222
> > > > > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > > > > 20190224085001 20190210085001 45830 isoc.org.
> > > > > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0
> > > > > NxOG
> > > > > CPOZ
> > > > > SVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPe
> > > > > rUvt
> > > > > l0sH
> > > > > JnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> > > > > 
> > > > > ;; Received 468 B
> > > > > ;; Time 2019-02-10 12:40:19 CET
> > > > > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> > > > > 
> > > > > 
> > > > > 
> > > > > And a test with s_client:
> > > > > 
> > > > > [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> > > > > CONNECTED(00000003)
> > > > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > > DigiCert Global Root CA
> > > > > verify return:1
> > > > > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > > verify return:1
> > > > > depth=0 C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare,
> > > > > Inc.", CN = cloudflare-dns.com
> > > > > verify return:1
> > > > > ---
> > > > > Certificate chain
> > > > > 0 s:C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare,
> > > > > Inc.", CN = cloudflare-dns.com
> > > > >  i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > > > CA
> > > > > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > > > CA
> > > > >  i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > > DigiCert
> > > > > Global Root CA
> > > > > ---
> > > > > Server certificate
> > > > > -----BEGIN CERTIFICATE-----
> > > > > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMM
> > > > > Qsw
> > > > > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1Ea
> > > > > Wdp
> > > > > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yM
> > > > > TAy
> > > > > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhM
> > > > > RYw
> > > > > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJb
> > > > > mMu
> > > > > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqh
> > > > > kjO
> > > > > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3u
> > > > > MuP
> > > > > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo
> > > > > 53m
> > > > > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoR
> > > > > X+g
> > > > > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsY
> > > > > XJl
> > > > > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJ
> > > > > gZH
> > > > > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAA
> > > > > AAA
> > > > > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB
> > > > > 4Aw
> > > > > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAso
> > > > > CqG
> > > > > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAso
> > > > > CqG
> > > > > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDV
> > > > > R0g
> > > > > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZ
> > > > > Gln
> > > > > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGA
> > > > > QUF
> > > > > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0d
> > > > > HA6
> > > > > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlc
> > > > > kNB
> > > > > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAd
> > > > > gCk
> > > > > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHM
> > > > > EUC
> > > > > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm
> > > > > 2eO
> > > > > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9Kt
> > > > > WDB
> > > > > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7x
> > > > > Os/
> > > > > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3A
> > > > > LvZ
> > > > > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwR
> > > > > gIh
> > > > > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxv
> > > > > rk7
> > > > > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HT
> > > > > Mur
> > > > > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5j
> > > > > dz1
> > > > > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> > > > > -----END CERTIFICATE-----
> > > > > subject=C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare,
> > > > > Inc.", CN = cloudflare-dns.com
> > > > > 
> > > > > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > > 
> > > > > ---
> > > > > No client certificate CA names sent
> > > > > Peer signing digest: SHA256
> > > > > Peer signature type: ECDSA
> > > > > Server Temp Key: X25519, 253 bits
> > > > > ---
> > > > > SSL handshake has read 2787 bytes and written 421 bytes
> > > > > Verification: OK
> > > > > ---
> > > > > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> > > > > Server public key is 256 bit
> > > > > Secure Renegotiation IS NOT supported
> > > > > Compression: NONE
> > > > > Expansion: NONE
> > > > > No ALPN negotiated
> > > > > Early data was not sent
> > > > > Verify return code: 0 (ok)
> > > > > ---
> > > > > ---
> > > > > Post-Handshake New Session Ticket arrived:
> > > > > SSL-Session:
> > > > >   Protocol  : TLSv1.3
> > > > >   Cipher    : TLS_CHACHA20_POLY1305_SHA256
> > > > >   Session-ID:
> > > > > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735
> > > > > C01
> > > > >   Session-ID-ctx: 
> > > > >   Resumption PSK:
> > > > > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA48
> > > > > 0C7
> > > > >   PSK identity: None
> > > > >   PSK identity hint: None
> > > > >   TLS session ticket lifetime hint: 21600 (seconds)
> > > > >   TLS session ticket:
> > > > >   0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> > > > > 00   ................
> > > > >   0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> > > > > 6b   ...........}...k
> > > > >   0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> > > > > 23   ..1Uw..\.......#
> > > > >   0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> > > > > 3d   ....3]...u.hg.W=
> > > > >   0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> > > > > ff   .qk."......7bi..
> > > > >   0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> > > > > d9   Zx).........c...
> > > > >   0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> > > > > cb   ;.p8V.jC....].~.
> > > > >   0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> > > > > 06   .c..1qa.D.....C.
> > > > >   0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> > > > > 0e   .....>.2....F...
> > > > >   0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> > > > > 1b   ty.$.\....,.K...
> > > > >   00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> > > > > 07   }.=.jX.NA..)....
> > > > >   00b0 - e1 92 dd 8d 44
> > > > > 69                                 ....Di
> > > > > 
> > > > >   Start Time: 1549799117
> > > > >   Timeout   : 7200 (sec)
> > > > >   Verify return code: 0 (ok)
> > > > >   Extended master secret: no
> > > > >   Max Early Data: 0
> > > > > ---
> > > > > read R BLOCK
> > > > > closed
> > > > > 
> > > > > 
> > > > > Which seems strange to me since Cloudflair offers TLSv1.3 but
> > > > > unbound
> > > > > initializes only TLSv1.2 .
> > > > > 
> > > > > Have check all working DoT servers from here --> 
> > > > > 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> > > > > too,
> > > > > but no TLSv1.3 at all...
> > > > > 
> > > > > 
> > > > > Did someone have similar behaviors ?
> > > > > 
> > > > > Best,
> > > > > 
> > > > > Erik
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > 
> > > 
> 
> 

OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 7149 bytes --]

Hi all,
did an fresh install from origin/next of Core 128 with the new OpenSSL-
1.1.1a . Have checked also DNS-over-TLS which works well but kdig
points out that the TLS sessions operates only with TLSv1.2 instaed of
the new delivered TLSv1.3 .

A test with Cloudflair (which uses TLSv1.3) looks like this -->

kdig Test:


;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 239 B

;; QUESTION SECTION:
;; www.isoc.org.       		IN	A

;; ANSWER SECTION:
www.isoc.org.       	300	IN	A	46.43.36.222
www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190224085001 20190210085001 45830 isoc.org. g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=

;; Received 468 B
;; Time 2019-02-10 12:40:19 CET
;; From 1.1.1.1(a)853(TCP) in 18.0 ms



And a test with s_client:

[root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
verify return:1
---
Certificate chain
 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
   i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
/I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
-----END CERTIFICATE-----
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com

issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2787 bytes and written 421 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
    Protocol  : TLSv1.3
    Cipher    : TLS_CHACHA20_POLY1305_SHA256
    Session-ID: FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
    Session-ID-ctx: 
    Resumption PSK: 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 21600 (seconds)
    TLS session ticket:
    0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
    0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 6b   ...........}...k
    0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 23   ..1Uw..\.......#
    0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 3d   ....3]...u.hg.W=
    0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 ff   .qk."......7bi..
    0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 d9   Zx).........c...
    0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e cb   ;.p8V.jC....].~.
    0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 06   .c..1qa.D.....C.
    0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 0e   .....>.2....F...
    0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 1b   ty.$.\....,.K...
    00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 07   }.=.jX.NA..)....
    00b0 - e1 92 dd 8d 44 69                                 ....Di

    Start Time: 1549799117
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
    Max Early Data: 0
---
read R BLOCK
closed


Which seems strange to me since Cloudflair offers TLSv1.3 but unbound initializes only TLSv1.2 .

Have check all working DoT servers from here --> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too,
but no TLSv1.3 at all...


Did someone have similar behaviors ?

Best,

Erik

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 7828 bytes --]

Hi,

This is a bit weird.

Does the version of unbound support TLS 1.3? We had to update Apache to support TLS 1.3 and we had to just rebuild haproxy to support it, too. Since you are running a build of unbound that was built against OpenSSL 1.1.1 I would say the latter isn’t likely.

-Michael

> On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi all,
> did an fresh install from origin/next of Core 128 with the new OpenSSL-
> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
> points out that the TLS sessions operates only with TLSv1.2 instaed of
> the new delivered TLSv1.3 .
> 
> A test with Cloudflair (which uses TLSv1.3) looks like this -->
> 
> kdig Test:
> 
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
> ;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
> 
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> ;; PADDING: 239 B
> 
> ;; QUESTION SECTION:
> ;; www.isoc.org.       		IN	A
> 
> ;; ANSWER SECTION:
> www.isoc.org.       	300	IN	A	46.43.36.222
> www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190224085001 20190210085001 45830 isoc.org. g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> 
> ;; Received 468 B
> ;; Time 2019-02-10 12:40:19 CET
> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> 
> 
> 
> And a test with s_client:
> 
> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> verify return:1
> depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
> verify return:1
> ---
> Certificate chain
> 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
>   i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> -----END CERTIFICATE-----
> subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
> 
> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> 
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: ECDSA
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2787 bytes and written 421 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> Server public key is 256 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
>    Protocol  : TLSv1.3
>    Cipher    : TLS_CHACHA20_POLY1305_SHA256
>    Session-ID: FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
>    Session-ID-ctx: 
>    Resumption PSK: 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
>    PSK identity: None
>    PSK identity hint: None
>    TLS session ticket lifetime hint: 21600 (seconds)
>    TLS session ticket:
>    0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
>    0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 6b   ...........}...k
>    0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 23   ..1Uw..\.......#
>    0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 3d   ....3]...u.hg.W=
>    0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 ff   .qk."......7bi..
>    0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 d9   Zx).........c...
>    0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e cb   ;.p8V.jC....].~.
>    0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 06   .c..1qa.D.....C.
>    0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 0e   .....>.2....F...
>    0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 1b   ty.$.\....,.K...
>    00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 07   }.=.jX.NA..)....
>    00b0 - e1 92 dd 8d 44 69                                 ....Di
> 
>    Start Time: 1549799117
>    Timeout   : 7200 (sec)
>    Verify return code: 0 (ok)
>    Extended master secret: no
>    Max Early Data: 0
> ---
> read R BLOCK
> closed
> 
> 
> Which seems strange to me since Cloudflair offers TLSv1.3 but unbound initializes only TLSv1.2 .
> 
> Have check all working DoT servers from here --> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too,
> but no TLSv1.3 at all...
> 
> 
> Did someone have similar behaviors ?
> 
> Best,
> 
> Erik
> 
> 
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[Peter Müller]

[-- Attachment #1: Type: text/plain, Size: 8478 bytes --]

Hello Michael, hello Erik,

sorry for the long delay here. :-\

I noticed the AESCCM issue with Unbound, and will have a look
at it (never observed these ciphers in the wild - i.e. web and mail
traffic - but that does not mean anything here).

At the moment, I do not have an idea what is going wrong
here (currently using 127-stable).

P.S.: It's CloudFlare, not Cloudflair. :-)

P.P.S.: Thank you for the DoT server list. I will update the Wiki page.

Thanks, and best regards,
Peter Müller

> Hi,
> 
> This is a bit weird.
> 
> Does the version of unbound support TLS 1.3? We had to update Apache to support TLS 1.3 and we had to just rebuild haproxy to support it, too. Since you are running a build of unbound that was built against OpenSSL 1.1.1 I would say the latter isn’t likely.
> 
> -Michael
> 
>> On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
>>
>> Hi all,
>> did an fresh install from origin/next of Core 128 with the new OpenSSL-
>> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
>> points out that the TLS sessions operates only with TLSv1.2 instaed of
>> the new delivered TLSv1.3 .
>>
>> A test with Cloudflair (which uses TLSv1.3) looks like this -->
>>
>> kdig Test:
>>
>>
>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
>> ;; DEBUG: TLS, received certificate hierarchy:
>> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
>> ;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
>> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>> ;; DEBUG: TLS, skipping certificate PIN check
>> ;; DEBUG: TLS, The certificate is trusted. 
>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
>>
>> ;; EDNS PSEUDOSECTION:
>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
>> ;; PADDING: 239 B
>>
>> ;; QUESTION SECTION:
>> ;; www.isoc.org.       		IN	A
>>
>> ;; ANSWER SECTION:
>> www.isoc.org.       	300	IN	A	46.43.36.222
>> www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190224085001 20190210085001 45830 isoc.org. g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
>>
>> ;; Received 468 B
>> ;; Time 2019-02-10 12:40:19 CET
>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
>>
>>
>>
>> And a test with s_client:
>>
>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
>> CONNECTED(00000003)
>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
>> verify return:1
>> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>> verify return:1
>> depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
>>   i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
>> -----END CERTIFICATE-----
>> subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = cloudflare-dns.com
>>
>> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>
>> ---
>> No client certificate CA names sent
>> Peer signing digest: SHA256
>> Peer signature type: ECDSA
>> Server Temp Key: X25519, 253 bits
>> ---
>> SSL handshake has read 2787 bytes and written 421 bytes
>> Verification: OK
>> ---
>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
>> Server public key is 256 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 0 (ok)
>> ---
>> ---
>> Post-Handshake New Session Ticket arrived:
>> SSL-Session:
>>    Protocol  : TLSv1.3
>>    Cipher    : TLS_CHACHA20_POLY1305_SHA256
>>    Session-ID: FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
>>    Session-ID-ctx: 
>>    Resumption PSK: 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
>>    PSK identity: None
>>    PSK identity hint: None
>>    TLS session ticket lifetime hint: 21600 (seconds)
>>    TLS session ticket:
>>    0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00   ................
>>    0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1 6b   ...........}...k
>>    0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1 23   ..1Uw..\.......#
>>    0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57 3d   ....3]...u.hg.W=
>>    0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01 ff   .qk."......7bi..
>>    0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4 d9   Zx).........c...
>>    0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e cb   ;.p8V.jC....].~.
>>    0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43 06   .c..1qa.D.....C.
>>    0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2 0e   .....>.2....F...
>>    0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1 1b   ty.$.\....,.K...
>>    00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90 07   }.=.jX.NA..)....
>>    00b0 - e1 92 dd 8d 44 69                                 ....Di
>>
>>    Start Time: 1549799117
>>    Timeout   : 7200 (sec)
>>    Verify return code: 0 (ok)
>>    Extended master secret: no
>>    Max Early Data: 0
>> ---
>> read R BLOCK
>> closed
>>
>>
>> Which seems strange to me since Cloudflair offers TLSv1.3 but unbound initializes only TLSv1.2 .
>>
>> Have check all working DoT servers from here --> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too,
>> but no TLSv1.3 at all...
>>
>>
>> Did someone have similar behaviors ?
>>
>> Best,
>>
>> Erik

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 11087 bytes --]

Hi Peter,

On Mi, 2019-02-13 at 19:40 +0000, Peter Müller wrote:
> Hello Michael, hello Erik,
> 
> sorry for the long delay here. :-\
> 
> I noticed the AESCCM issue with Unbound, and will have a look
> at it (never observed these ciphers in the wild - i.e. web and mail
> traffic - but that does not mean anything here).
I think the disabled AESCCM should not be the problem since on the
first testing days TLSv1.3 did worked without problems on my machine.
It worked at that time with the old cipher patch but also only with the
three TLSv1.3 defaults ciphers:

# TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
# TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
# TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD


so the other two CCM ciphers wasn´t enabled there.

In unbound´s example conf the tls-ciphersuites are:

# cipher setting for TLSv1.3 
# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

which differs very much to that one which i´d see the last time. In my
humble opinion, it looks like speed opitimization. I think this
settings are server settings.


> 
> At the moment, I do not have an idea what is going wrong
> here (currently using 127-stable).
What are you thinking about to go for some OpenSSL checks ? Not sure
when Core 128 will be released but as i remember it should come not
that long after Core 127 ???

Since this is a bigger update it might be great if more people comes
around to test the new OpenSSL lib...

> 
> P.S.: It's CloudFlare, not Cloudflair. :-)
Thanks for finding the bug :D .

> 
> P.P.S.: Thank you for the DoT server list. I will update the Wiki
> page.
Your welcome but keep in mind that a lot of this servers listed in
there are testing ones (regular checks points out that there are longer
time off or do have problems with certificates).
CleanBrowsing, Adguard (not sure which lists they use to filter!) and
Google are new listed as regular public resolvers -->
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers .

Best,

Erik


> 
> Thanks, and best regards,
> Peter Müller
> 
> > Hi,
> > 
> > This is a bit weird.
> > 
> > Does the version of unbound support TLS 1.3? We had to update
> > Apache to support TLS 1.3 and we had to just rebuild haproxy to
> > support it, too. Since you are running a build of unbound that was
> > built against OpenSSL 1.1.1 I would say the latter isn’t likely.
> > 
> > -Michael
> > 
> > > On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > 
> > > Hi all,
> > > did an fresh install from origin/next of Core 128 with the new
> > > OpenSSL-
> > > 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
> > > points out that the TLS sessions operates only with TLSv1.2
> > > instaed of
> > > the new delivered TLSv1.3 .
> > > 
> > > A test with Cloudflair (which uses TLSv1.3) looks like this -->
> > > 
> > > kdig Test:
> > > 
> > > 
> > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > server(1.1.1.1), port(853), protocol(TCP)
> > > ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
> > > bundle.crt'
> > > ;; DEBUG: TLS, received certificate hierarchy:
> > > ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
> > > Inc.,CN=cloudflare-dns.com
> > > ;; DEBUG:      SHA-256 PIN:
> > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server
> > > CA
> > > ;; DEBUG:      SHA-256 PIN:
> > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > ;; DEBUG: TLS, skipping certificate PIN check
> > > ;; DEBUG: TLS, The certificate is trusted. 
> > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > ADDITIONAL: 1
> > > 
> > > ;; EDNS PSEUDOSECTION:
> > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> > > ;; PADDING: 239 B
> > > 
> > > ;; QUESTION SECTION:
> > > ;; www.isoc.org.       		IN	A
> > > 
> > > ;; ANSWER SECTION:
> > > www.isoc.org.       	300	IN	A	46.43.36.222
> > > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > > 20190224085001 20190210085001 45830 isoc.org.
> > > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOG
> > > CPOZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPe
> > > rUvtl0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> > > 
> > > ;; Received 468 B
> > > ;; Time 2019-02-10 12:40:19 CET
> > > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> > > 
> > > 
> > > 
> > > And a test with s_client:
> > > 
> > > [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> > > CONNECTED(00000003)
> > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > DigiCert Global Root CA
> > > verify return:1
> > > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > CA
> > > verify return:1
> > > depth=0 C = US, ST = California, L = San Francisco, O =
> > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > verify return:1
> > > ---
> > > Certificate chain
> > > 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare,
> > > Inc.", CN = cloudflare-dns.com
> > >   i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> > > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> > >   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > DigiCert Global Root CA
> > > ---
> > > Server certificate
> > > -----BEGIN CERTIFICATE-----
> > > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
> > > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
> > > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
> > > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
> > > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
> > > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
> > > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
> > > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
> > > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
> > > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
> > > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
> > > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
> > > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
> > > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
> > > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
> > > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
> > > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
> > > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
> > > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
> > > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
> > > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
> > > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
> > > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
> > > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
> > > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
> > > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
> > > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
> > > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
> > > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
> > > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
> > > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> > > -----END CERTIFICATE-----
> > > subject=C = US, ST = California, L = San Francisco, O =
> > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > 
> > > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > CA
> > > 
> > > ---
> > > No client certificate CA names sent
> > > Peer signing digest: SHA256
> > > Peer signature type: ECDSA
> > > Server Temp Key: X25519, 253 bits
> > > ---
> > > SSL handshake has read 2787 bytes and written 421 bytes
> > > Verification: OK
> > > ---
> > > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> > > Server public key is 256 bit
> > > Secure Renegotiation IS NOT supported
> > > Compression: NONE
> > > Expansion: NONE
> > > No ALPN negotiated
> > > Early data was not sent
> > > Verify return code: 0 (ok)
> > > ---
> > > ---
> > > Post-Handshake New Session Ticket arrived:
> > > SSL-Session:
> > >    Protocol  : TLSv1.3
> > >    Cipher    : TLS_CHACHA20_POLY1305_SHA256
> > >    Session-ID:
> > > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
> > >    Session-ID-ctx: 
> > >    Resumption PSK:
> > > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
> > >    PSK identity: None
> > >    PSK identity hint: None
> > >    TLS session ticket lifetime hint: 21600 (seconds)
> > >    TLS session ticket:
> > >    0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> > > 00   ................
> > >    0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> > > 6b   ...........}...k
> > >    0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> > > 23   ..1Uw..\.......#
> > >    0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> > > 3d   ....3]...u.hg.W=
> > >    0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> > > ff   .qk."......7bi..
> > >    0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> > > d9   Zx).........c...
> > >    0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> > > cb   ;.p8V.jC....].~.
> > >    0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> > > 06   .c..1qa.D.....C.
> > >    0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> > > 0e   .....>.2....F...
> > >    0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> > > 1b   ty.$.\....,.K...
> > >    00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> > > 07   }.=.jX.NA..)....
> > >    00b0 - e1 92 dd 8d 44
> > > 69                                 ....Di
> > > 
> > >    Start Time: 1549799117
> > >    Timeout   : 7200 (sec)
> > >    Verify return code: 0 (ok)
> > >    Extended master secret: no
> > >    Max Early Data: 0
> > > ---
> > > read R BLOCK
> > > closed
> > > 
> > > 
> > > Which seems strange to me since Cloudflair offers TLSv1.3 but
> > > unbound initializes only TLSv1.2 .
> > > 
> > > Have check all working DoT servers from here --> 
> > > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> > > too,
> > > but no TLSv1.3 at all...
> > > 
> > > 
> > > Did someone have similar behaviors ?
> > > 
> > > Best,
> > > 
> > > Erik

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 11410 bytes --]

Hey Erik,

Did you try Matthias’ patch for unbound 1.9.0?

> On 14 Feb 2019, at 07:24, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi Peter,
> 
> On Mi, 2019-02-13 at 19:40 +0000, Peter Müller wrote:
>> Hello Michael, hello Erik,
>> 
>> sorry for the long delay here. :-\
>> 
>> I noticed the AESCCM issue with Unbound, and will have a look
>> at it (never observed these ciphers in the wild - i.e. web and mail
>> traffic - but that does not mean anything here).
> I think the disabled AESCCM should not be the problem since on the
> first testing days TLSv1.3 did worked without problems on my machine.
> It worked at that time with the old cipher patch but also only with the
> three TLSv1.3 defaults ciphers:
> 
> # TLS_AES_256_GCM_SHA384  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
> # TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> # TLS_AES_128_GCM_SHA256  TLSv1.3 Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
> 
> 
> so the other two CCM ciphers wasn´t enabled there.
> 
> In unbound´s example conf the tls-ciphersuites are:
> 
> # cipher setting for TLSv1.3 
> # tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
> 
> which differs very much to that one which i´d see the last time. In my
> humble opinion, it looks like speed opitimization. I think this
> settings are server settings.

Yes. The client usually offers everything it supports and the server picks the best cipher according to its own list.

So that does not have anything to do with how unbound connects to an upstream server.

>> At the moment, I do not have an idea what is going wrong
>> here (currently using 127-stable).
> What are you thinking about to go for some OpenSSL checks ? Not sure
> when Core 128 will be released but as i remember it should come not
> that long after Core 127 ???

Yes, it should have been in testing by now, but Arne is away. Hence there is a little delay.

> 
> Since this is a bigger update it might be great if more people comes
> around to test the new OpenSSL lib...
> 
>> 
>> P.S.: It's CloudFlare, not Cloudflair. :-)
> Thanks for finding the bug :D .
> 
>> 
>> P.P.S.: Thank you for the DoT server list. I will update the Wiki
>> page.
> Your welcome but keep in mind that a lot of this servers listed in
> there are testing ones (regular checks points out that there are longer
> time off or do have problems with certificates).
> CleanBrowsing, Adguard (not sure which lists they use to filter!) and
> Google are new listed as regular public resolvers -->
> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers .
> 
> Best,
> 
> Erik
> 
> 
>> 
>> Thanks, and best regards,
>> Peter Müller
>> 
>>> Hi,
>>> 
>>> This is a bit weird.
>>> 
>>> Does the version of unbound support TLS 1.3? We had to update
>>> Apache to support TLS 1.3 and we had to just rebuild haproxy to
>>> support it, too. Since you are running a build of unbound that was
>>> built against OpenSSL 1.1.1 I would say the latter isn’t likely.
>>> 
>>> -Michael
>>> 
>>>> On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>> 
>>>> Hi all,
>>>> did an fresh install from origin/next of Core 128 with the new
>>>> OpenSSL-
>>>> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
>>>> points out that the TLS sessions operates only with TLSv1.2
>>>> instaed of
>>>> the new delivered TLSv1.3 .
>>>> 
>>>> A test with Cloudflair (which uses TLSv1.3) looks like this -->
>>>> 
>>>> kdig Test:
>>>> 
>>>> 
>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>>> server(1.1.1.1), port(853), protocol(TCP)
>>>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
>>>> bundle.crt'
>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
>>>> Inc.,CN=cloudflare-dns.com
>>>> ;; DEBUG:      SHA-256 PIN:
>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server
>>>> CA
>>>> ;; DEBUG:      SHA-256 PIN:
>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>>> ADDITIONAL: 1
>>>> 
>>>> ;; EDNS PSEUDOSECTION:
>>>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
>>>> ;; PADDING: 239 B
>>>> 
>>>> ;; QUESTION SECTION:
>>>> ;; www.isoc.org.       		IN	A
>>>> 
>>>> ;; ANSWER SECTION:
>>>> www.isoc.org.       	300	IN	A	46.43.36.222
>>>> www.isoc.org.       	300	IN	RRSIG	A 7 3 300
>>>> 20190224085001 20190210085001 45830 isoc.org.
>>>> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOG
>>>> CPOZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPe
>>>> rUvtl0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
>>>> 
>>>> ;; Received 468 B
>>>> ;; Time 2019-02-10 12:40:19 CET
>>>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
>>>> 
>>>> 
>>>> 
>>>> And a test with s_client:
>>>> 
>>>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
>>>> CONNECTED(00000003)
>>>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
>>>> DigiCert Global Root CA
>>>> verify return:1
>>>> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
>>>> CA
>>>> verify return:1
>>>> depth=0 C = US, ST = California, L = San Francisco, O =
>>>> "Cloudflare, Inc.", CN = cloudflare-dns.com
>>>> verify return:1
>>>> ---
>>>> Certificate chain
>>>> 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare,
>>>> Inc.", CN = cloudflare-dns.com
>>>>  i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>>> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>>>  i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
>>>> DigiCert Global Root CA
>>>> ---
>>>> Server certificate
>>>> -----BEGIN CERTIFICATE-----
>>>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
>>>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
>>>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
>>>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
>>>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
>>>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
>>>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
>>>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
>>>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
>>>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
>>>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
>>>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
>>>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
>>>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
>>>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
>>>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
>>>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
>>>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
>>>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
>>>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
>>>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
>>>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
>>>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
>>>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
>>>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
>>>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
>>>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
>>>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
>>>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
>>>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
>>>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
>>>> -----END CERTIFICATE-----
>>>> subject=C = US, ST = California, L = San Francisco, O =
>>>> "Cloudflare, Inc.", CN = cloudflare-dns.com
>>>> 
>>>> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
>>>> CA
>>>> 
>>>> ---
>>>> No client certificate CA names sent
>>>> Peer signing digest: SHA256
>>>> Peer signature type: ECDSA
>>>> Server Temp Key: X25519, 253 bits
>>>> ---
>>>> SSL handshake has read 2787 bytes and written 421 bytes
>>>> Verification: OK
>>>> ---
>>>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
>>>> Server public key is 256 bit
>>>> Secure Renegotiation IS NOT supported
>>>> Compression: NONE
>>>> Expansion: NONE
>>>> No ALPN negotiated
>>>> Early data was not sent
>>>> Verify return code: 0 (ok)
>>>> ---
>>>> ---
>>>> Post-Handshake New Session Ticket arrived:
>>>> SSL-Session:
>>>>   Protocol  : TLSv1.3
>>>>   Cipher    : TLS_CHACHA20_POLY1305_SHA256
>>>>   Session-ID:
>>>> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
>>>>   Session-ID-ctx: 
>>>>   Resumption PSK:
>>>> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
>>>>   PSK identity: None
>>>>   PSK identity hint: None
>>>>   TLS session ticket lifetime hint: 21600 (seconds)
>>>>   TLS session ticket:
>>>>   0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
>>>> 00   ................
>>>>   0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
>>>> 6b   ...........}...k
>>>>   0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
>>>> 23   ..1Uw..\.......#
>>>>   0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
>>>> 3d   ....3]...u.hg.W=
>>>>   0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
>>>> ff   .qk."......7bi..
>>>>   0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
>>>> d9   Zx).........c...
>>>>   0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
>>>> cb   ;.p8V.jC....].~.
>>>>   0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
>>>> 06   .c..1qa.D.....C.
>>>>   0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
>>>> 0e   .....>.2....F...
>>>>   0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
>>>> 1b   ty.$.\....,.K...
>>>>   00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
>>>> 07   }.=.jX.NA..)....
>>>>   00b0 - e1 92 dd 8d 44
>>>> 69                                 ....Di
>>>> 
>>>>   Start Time: 1549799117
>>>>   Timeout   : 7200 (sec)
>>>>   Verify return code: 0 (ok)
>>>>   Extended master secret: no
>>>>   Max Early Data: 0
>>>> ---
>>>> read R BLOCK
>>>> closed
>>>> 
>>>> 
>>>> Which seems strange to me since Cloudflair offers TLSv1.3 but
>>>> unbound initializes only TLSv1.2 .
>>>> 
>>>> Have check all working DoT servers from here --> 
>>>> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
>>>> too,
>>>> but no TLSv1.3 at all...
>>>> 
>>>> 
>>>> Did someone have similar behaviors ?
>>>> 
>>>> Best,
>>>> 
>>>> Erik
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 13392 bytes --]

On Do, 2019-02-14 at 11:11 +0000, Michael Tremer wrote:
> Hey Erik,
> 
> Did you try Matthias’ patch for unbound 1.9.0?
Yes, and have currently no problems with it. As a beneath one, all
TLSv1.3 tests/problems has been made with 1.8.3 but they appears also
with 1.9.0 .


> 
> > On 14 Feb 2019, at 07:24, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi Peter,
> > 
> > On Mi, 2019-02-13 at 19:40 +0000, Peter Müller wrote:
> > > Hello Michael, hello Erik,
> > > 
> > > sorry for the long delay here. :-\
> > > 
> > > I noticed the AESCCM issue with Unbound, and will have a look
> > > at it (never observed these ciphers in the wild - i.e. web and
> > > mail
> > > traffic - but that does not mean anything here).
> > 
> > I think the disabled AESCCM should not be the problem since on the
> > first testing days TLSv1.3 did worked without problems on my
> > machine.
> > It worked at that time with the old cipher patch but also only with
> > the
> > three TLSv1.3 defaults ciphers:
> > 
> > # TLS_AES_256_GCM_SHA384  TLSv1.3
> > Kx=any      Au=any  Enc=AESGCM(256) Mac=AEAD
> > # TLS_CHACHA20_POLY1305_SHA256 TLSv1.3
> > Kx=any      Au=any  Enc=CHACHA20/POLY1305(256) Mac=AEAD
> > # TLS_AES_128_GCM_SHA256  TLSv1.3
> > Kx=any      Au=any  Enc=AESGCM(128) Mac=AEAD
> > 
> > 
> > so the other two CCM ciphers wasn´t enabled there.
> > 
> > In unbound´s example conf the tls-ciphersuites are:
> > 
> > # cipher setting for TLSv1.3 
> > # tls-ciphersuites:
> > "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SH
> > A256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
> > 
> > which differs very much to that one which i´d see the last time. In
> > my
> > humble opinion, it looks like speed opitimization. I think this
> > settings are server settings.
> 
> Yes. The client usually offers everything it supports and the server
> picks the best cipher according to its own list.
> 
> So that does not have anything to do with how unbound connects to an
> upstream server.
> 
> > > At the moment, I do not have an idea what is going wrong
> > > here (currently using 127-stable).
> > 
> > What are you thinking about to go for some OpenSSL checks ? Not
> > sure
> > when Core 128 will be released but as i remember it should come not
> > that long after Core 127 ???
> 
> Yes, it should have been in testing by now, but Arne is away. Hence
> there is a little delay.
OK, i see. Am build nevertheless again a new origin/next image playing
around with the OpenSSL cipher patch since it is the only thing i have
currently in mind what can causes the TLSv1.3 problem, but again am not
sure with this ?!

> 
> > 
> > Since this is a bigger update it might be great if more people
> > comes
> > around to test the new OpenSSL lib...
> > 
> > > 
> > > P.S.: It's CloudFlare, not Cloudflair. :-)
> > 
> > Thanks for finding the bug :D .
> > 
> > > 
> > > P.P.S.: Thank you for the DoT server list. I will update the Wiki
> > > page.
> > 
> > Your welcome but keep in mind that a lot of this servers listed in
> > there are testing ones (regular checks points out that there are
> > longer
> > time off or do have problems with certificates).
> > CleanBrowsing, Adguard (not sure which lists they use to filter!)
> > and
> > Google are new listed as regular public resolvers -->
> > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Public+Resolvers
> >  .
> > 
> > Best,
> > 
> > Erik
> > 
> > 
> > > 
> > > Thanks, and best regards,
> > > Peter Müller
> > > 
> > > > Hi,
> > > > 
> > > > This is a bit weird.
> > > > 
> > > > Does the version of unbound support TLS 1.3? We had to update
> > > > Apache to support TLS 1.3 and we had to just rebuild haproxy to
> > > > support it, too. Since you are running a build of unbound that
> > > > was
> > > > built against OpenSSL 1.1.1 I would say the latter isn’t
> > > > likely.
> > > > 
> > > > -Michael
> > > > 
> > > > > On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org>
> > > > > wrote:
> > > > > 
> > > > > Hi all,
> > > > > did an fresh install from origin/next of Core 128 with the
> > > > > new
> > > > > OpenSSL-
> > > > > 1.1.1a . Have checked also DNS-over-TLS which works well but
> > > > > kdig
> > > > > points out that the TLS sessions operates only with TLSv1.2
> > > > > instaed of
> > > > > the new delivered TLSv1.3 .
> > > > > 
> > > > > A test with Cloudflair (which uses TLSv1.3) looks like this
> > > > > -->
> > > > > 
> > > > > kdig Test:
> > > > > 
> > > > > 
> > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
> > > > > type(1),
> > > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > > '/etc/ssl/certs/ca-
> > > > > bundle.crt'
> > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > > Francisco,O=Cloudflare\,
> > > > > Inc.,CN=cloudflare-dns.com
> > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > > ADDITIONAL: 1
> > > > > 
> > > > > ;; EDNS PSEUDOSECTION:
> > > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode:
> > > > > NOERROR
> > > > > ;; PADDING: 239 B
> > > > > 
> > > > > ;; QUESTION SECTION:
> > > > > ;; www.isoc.org.       		IN	A
> > > > > 
> > > > > ;; ANSWER SECTION:
> > > > > www.isoc.org.       	300	IN	A	46.43.36.222
> > > > > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > > > > 20190224085001 20190210085001 45830 isoc.org.
> > > > > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0
> > > > > NxOG
> > > > > CPOZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR
> > > > > 7hPe
> > > > > rUvtl0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> > > > > 
> > > > > ;; Received 468 B
> > > > > ;; Time 2019-02-10 12:40:19 CET
> > > > > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> > > > > 
> > > > > 
> > > > > 
> > > > > And a test with s_client:
> > > > > 
> > > > > [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> > > > > CONNECTED(00000003)
> > > > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > > DigiCert Global Root CA
> > > > > verify return:1
> > > > > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > > verify return:1
> > > > > depth=0 C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > > > verify return:1
> > > > > ---
> > > > > Certificate chain
> > > > > 0 s:C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare,
> > > > > Inc.", CN = cloudflare-dns.com
> > > > >  i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > > > CA
> > > > > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > > > CA
> > > > >  i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > > DigiCert Global Root CA
> > > > > ---
> > > > > Server certificate
> > > > > -----BEGIN CERTIFICATE-----
> > > > > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMM
> > > > > Qsw
> > > > > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1Ea
> > > > > Wdp
> > > > > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yM
> > > > > TAy
> > > > > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhM
> > > > > RYw
> > > > > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJb
> > > > > mMu
> > > > > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqh
> > > > > kjO
> > > > > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3u
> > > > > MuP
> > > > > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo
> > > > > 53m
> > > > > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoR
> > > > > X+g
> > > > > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsY
> > > > > XJl
> > > > > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJ
> > > > > gZH
> > > > > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAA
> > > > > AAA
> > > > > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB
> > > > > 4Aw
> > > > > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAso
> > > > > CqG
> > > > > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAso
> > > > > CqG
> > > > > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDV
> > > > > R0g
> > > > > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZ
> > > > > Gln
> > > > > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGA
> > > > > QUF
> > > > > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0d
> > > > > HA6
> > > > > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlc
> > > > > kNB
> > > > > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAd
> > > > > gCk
> > > > > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHM
> > > > > EUC
> > > > > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm
> > > > > 2eO
> > > > > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9Kt
> > > > > WDB
> > > > > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7x
> > > > > Os/
> > > > > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3A
> > > > > LvZ
> > > > > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwR
> > > > > gIh
> > > > > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxv
> > > > > rk7
> > > > > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HT
> > > > > Mur
> > > > > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5j
> > > > > dz1
> > > > > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> > > > > -----END CERTIFICATE-----
> > > > > subject=C = US, ST = California, L = San Francisco, O =
> > > > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > > > 
> > > > > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > Server
> > > > > CA
> > > > > 
> > > > > ---
> > > > > No client certificate CA names sent
> > > > > Peer signing digest: SHA256
> > > > > Peer signature type: ECDSA
> > > > > Server Temp Key: X25519, 253 bits
> > > > > ---
> > > > > SSL handshake has read 2787 bytes and written 421 bytes
> > > > > Verification: OK
> > > > > ---
> > > > > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> > > > > Server public key is 256 bit
> > > > > Secure Renegotiation IS NOT supported
> > > > > Compression: NONE
> > > > > Expansion: NONE
> > > > > No ALPN negotiated
> > > > > Early data was not sent
> > > > > Verify return code: 0 (ok)
> > > > > ---
> > > > > ---
> > > > > Post-Handshake New Session Ticket arrived:
> > > > > SSL-Session:
> > > > >   Protocol  : TLSv1.3
> > > > >   Cipher    : TLS_CHACHA20_POLY1305_SHA256
> > > > >   Session-ID:
> > > > > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735
> > > > > C01
> > > > >   Session-ID-ctx: 
> > > > >   Resumption PSK:
> > > > > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA48
> > > > > 0C7
> > > > >   PSK identity: None
> > > > >   PSK identity hint: None
> > > > >   TLS session ticket lifetime hint: 21600 (seconds)
> > > > >   TLS session ticket:
> > > > >   0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> > > > > 00   ................
> > > > >   0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> > > > > 6b   ...........}...k
> > > > >   0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> > > > > 23   ..1Uw..\.......#
> > > > >   0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> > > > > 3d   ....3]...u.hg.W=
> > > > >   0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> > > > > ff   .qk."......7bi..
> > > > >   0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> > > > > d9   Zx).........c...
> > > > >   0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> > > > > cb   ;.p8V.jC....].~.
> > > > >   0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> > > > > 06   .c..1qa.D.....C.
> > > > >   0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> > > > > 0e   .....>.2....F...
> > > > >   0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> > > > > 1b   ty.$.\....,.K...
> > > > >   00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> > > > > 07   }.=.jX.NA..)....
> > > > >   00b0 - e1 92 dd 8d 44
> > > > > 69                                 ....Di
> > > > > 
> > > > >   Start Time: 1549799117
> > > > >   Timeout   : 7200 (sec)
> > > > >   Verify return code: 0 (ok)
> > > > >   Extended master secret: no
> > > > >   Max Early Data: 0
> > > > > ---
> > > > > read R BLOCK
> > > > > closed
> > > > > 
> > > > > 
> > > > > Which seems strange to me since Cloudflair offers TLSv1.3 but
> > > > > unbound initializes only TLSv1.2 .
> > > > > 
> > > > > Have check all working DoT servers from here --> 
> > > > > 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> > > > > too,
> > > > > but no TLSv1.3 at all...
> > > > > 
> > > > > 
> > > > > Did someone have similar behaviors ?
> > > > > 
> > > > > Best,
> > > > > 
> > > > > Erik
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 2926 bytes --]

Hi,
have captured now the traffic with tshark and it seems that unbound do
uses TLSv1.3 but kdig seems to be the problem which did not reflect
this. Shortend output:

5 0.017092078  192.168.25.13 → 9.9.9.9      TLSv1 405 Client Hello
    9 0.030988995      9.9.9.9 → 192.168.25.13  TLSv1.3 1506 Server Hello, Change Cipher Spec, Application Data
   10 0.031152498      9.9.9.9 → 192.168.25.13  TLSv1.3 1506 Application Data [TCP segment of a reassembled PDU]
   11 0.031305390      9.9.9.9 → 192.168.25.13  TLSv1.3 195 Application Data, Application Data
   12 0.032631746  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [ACK] Seq=340 Ack=1441 Win=32256 Len=0 TSval=1081350533 TSecr=3653489529
   13 0.032703370  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [ACK] Seq=340 Ack=2881 Win=35328 Len=0 TSval=1081350533 TSecr=3653489529
   14 0.032834733  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [ACK] Seq=340 Ack=3010 Win=37888 Len=0 TSval=1081350534 TSecr=3653489529
   16 0.048498506  192.168.25.13 → 9.9.9.9      TLSv1.3 146 Change Cipher Spec, Application Data
   26 0.061705575      9.9.9.9 → 192.168.25.13  TLSv1.3 145 Application Data
   27 0.061814933      9.9.9.9 → 192.168.25.13  TLSv1.3 145 Application Data
   28 0.062346891  192.168.25.13 → 9.9.9.9      TLSv1.3 135 Application Data
   31 0.093868737      9.9.9.9 → 192.168.25.13  TLSv1.3 1374 Application Data
   32 0.094863556  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [ACK] Seq=489 Ack=4476 Win=40960 Len=0 TSval=1081350596 TSecr=3653489561
   34 0.095815051  192.168.25.13 → 9.9.9.9      TLSv1.3 90 Application Data
   35 0.095889061  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [FIN, ACK] Seq=513 Ack=4476 Win=40960 Len=0 TSval=1081350597 TSecr=3653489561
   39 0.106144908  192.168.25.13 → 9.9.9.9      TCP 74 49712 → 853 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1081350607 TSecr=0 WS=512
   42 0.108875164      9.9.9.9 → 192.168.25.13  TLSv1.3 90 Application Data
   43 0.109334250      9.9.9.9 → 192.168.25.13  TCP 66 853 → 49708 [FIN, ACK] Seq=4500 Ack=514 Win=30208 Len=0 TSval=3653489608 TSecr=1081350596
   44 0.109656164  192.168.25.13 → 9.9.9.9      TCP 54 49708 → 853 [RST] Seq=514 Win=0 Len=0
   45 0.109961291  192.168.25.13 → 9.9.9.9      TCP 54 49708 → 853 [RST] Seq=514 Win=0 Len=0
   49 0.118048710      9.9.9.9 → 192.168.25.13  TCP 74 853 → 49712 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1452 SACK_PERM=1 TSval=3653489618 TSecr=1081350607 WS=256
   50 0.119914237  192.168.25.13 → 9.9.9.9      TCP 66 49712 → 853 [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=1081350620 TSecr=3653489618
   51 0.120180988  192.168.25.13 → 9.9.9.9      TLSv1 405 Client Hello

so forget about this subject but thanks for sharing your opinions.

Will go for a checkout if i can find something in knot section...


Best,

Erik

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 3152 bytes --]

Hi,

Wait, so does that mean that unbound works with TLS 1.3 but kdig doesn’t?

-Michael

> On 7 Mar 2019, at 04:16, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi,
> have captured now the traffic with tshark and it seems that unbound do
> uses TLSv1.3 but kdig seems to be the problem which did not reflect
> this. Shortend output:
> 
> 5 0.017092078  192.168.25.13 → 9.9.9.9      TLSv1 405 Client Hello
>    9 0.030988995      9.9.9.9 → 192.168.25.13  TLSv1.3 1506 Server Hello, Change Cipher Spec, Application Data
>   10 0.031152498      9.9.9.9 → 192.168.25.13  TLSv1.3 1506 Application Data [TCP segment of a reassembled PDU]
>   11 0.031305390      9.9.9.9 → 192.168.25.13  TLSv1.3 195 Application Data, Application Data
>   12 0.032631746  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [ACK] Seq=340 Ack=1441 Win=32256 Len=0 TSval=1081350533 TSecr=3653489529
>   13 0.032703370  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [ACK] Seq=340 Ack=2881 Win=35328 Len=0 TSval=1081350533 TSecr=3653489529
>   14 0.032834733  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [ACK] Seq=340 Ack=3010 Win=37888 Len=0 TSval=1081350534 TSecr=3653489529
>   16 0.048498506  192.168.25.13 → 9.9.9.9      TLSv1.3 146 Change Cipher Spec, Application Data
>   26 0.061705575      9.9.9.9 → 192.168.25.13  TLSv1.3 145 Application Data
>   27 0.061814933      9.9.9.9 → 192.168.25.13  TLSv1.3 145 Application Data
>   28 0.062346891  192.168.25.13 → 9.9.9.9      TLSv1.3 135 Application Data
>   31 0.093868737      9.9.9.9 → 192.168.25.13  TLSv1.3 1374 Application Data
>   32 0.094863556  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [ACK] Seq=489 Ack=4476 Win=40960 Len=0 TSval=1081350596 TSecr=3653489561
>   34 0.095815051  192.168.25.13 → 9.9.9.9      TLSv1.3 90 Application Data
>   35 0.095889061  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853 [FIN, ACK] Seq=513 Ack=4476 Win=40960 Len=0 TSval=1081350597 TSecr=3653489561
>   39 0.106144908  192.168.25.13 → 9.9.9.9      TCP 74 49712 → 853 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1081350607 TSecr=0 WS=512
>   42 0.108875164      9.9.9.9 → 192.168.25.13  TLSv1.3 90 Application Data
>   43 0.109334250      9.9.9.9 → 192.168.25.13  TCP 66 853 → 49708 [FIN, ACK] Seq=4500 Ack=514 Win=30208 Len=0 TSval=3653489608 TSecr=1081350596
>   44 0.109656164  192.168.25.13 → 9.9.9.9      TCP 54 49708 → 853 [RST] Seq=514 Win=0 Len=0
>   45 0.109961291  192.168.25.13 → 9.9.9.9      TCP 54 49708 → 853 [RST] Seq=514 Win=0 Len=0
>   49 0.118048710      9.9.9.9 → 192.168.25.13  TCP 74 853 → 49712 [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1452 SACK_PERM=1 TSval=3653489618 TSecr=1081350607 WS=256
>   50 0.119914237  192.168.25.13 → 9.9.9.9      TCP 66 49712 → 853 [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=1081350620 TSecr=3653489618
>   51 0.120180988  192.168.25.13 → 9.9.9.9      TLSv1 405 Client Hello
> 
> so forget about this subject but thanks for sharing your opinions.
> 
> Will go for a checkout if i can find something in knot section...
> 
> 
> Best,
> 
> Erik
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 3918 bytes --]

Hi Michael,

On Do, 2019-03-07 at 08:54 +0000, Michael Tremer wrote:
> Hi,
> 
> Wait, so does that mean that unbound works with TLS 1.3 but kdig
> doesn’t?
Yes it strangely looks like. What it makes even more strange that on
the other machine TLSv1.3 is also detected from kdig. But may you
remember, some curves on the same servers where differently displayed
on both machines. tshark shows the same for cloudflare and other not
TLSv1.3 ready servers are also shown correct with TLSv1.2.

But which one can now be trust ? Possibly tshark is a little more
trustworthy IMHO. Am building currently the new knot-2.8.0 version to
check if things are changing there.

Best,

Erik

> 
> -Michael
> 
> > On 7 Mar 2019, at 04:16, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi,
> > have captured now the traffic with tshark and it seems that unbound
> > do
> > uses TLSv1.3 but kdig seems to be the problem which did not reflect
> > this. Shortend output:
> > 
> > 5 0.017092078  192.168.25.13 → 9.9.9.9      TLSv1 405 Client Hello
> >    9 0.030988995      9.9.9.9 → 192.168.25.13  TLSv1.3 1506 Server
> > Hello, Change Cipher Spec, Application Data
> >   10 0.031152498      9.9.9.9 → 192.168.25.13  TLSv1.3 1506
> > Application Data [TCP segment of a reassembled PDU]
> >   11 0.031305390      9.9.9.9 → 192.168.25.13  TLSv1.3 195
> > Application Data, Application Data
> >   12 0.032631746  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > [ACK] Seq=340 Ack=1441 Win=32256 Len=0 TSval=1081350533
> > TSecr=3653489529
> >   13 0.032703370  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > [ACK] Seq=340 Ack=2881 Win=35328 Len=0 TSval=1081350533
> > TSecr=3653489529
> >   14 0.032834733  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > [ACK] Seq=340 Ack=3010 Win=37888 Len=0 TSval=1081350534
> > TSecr=3653489529
> >   16 0.048498506  192.168.25.13 → 9.9.9.9      TLSv1.3 146 Change
> > Cipher Spec, Application Data
> >   26 0.061705575      9.9.9.9 → 192.168.25.13  TLSv1.3 145
> > Application Data
> >   27 0.061814933      9.9.9.9 → 192.168.25.13  TLSv1.3 145
> > Application Data
> >   28 0.062346891  192.168.25.13 → 9.9.9.9      TLSv1.3 135
> > Application Data
> >   31 0.093868737      9.9.9.9 → 192.168.25.13  TLSv1.3 1374
> > Application Data
> >   32 0.094863556  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > [ACK] Seq=489 Ack=4476 Win=40960 Len=0 TSval=1081350596
> > TSecr=3653489561
> >   34 0.095815051  192.168.25.13 → 9.9.9.9      TLSv1.3 90
> > Application Data
> >   35 0.095889061  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > [FIN, ACK] Seq=513 Ack=4476 Win=40960 Len=0 TSval=1081350597
> > TSecr=3653489561
> >   39 0.106144908  192.168.25.13 → 9.9.9.9      TCP 74 49712 → 853
> > [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1081350607
> > TSecr=0 WS=512
> >   42 0.108875164      9.9.9.9 → 192.168.25.13  TLSv1.3 90
> > Application Data
> >   43 0.109334250      9.9.9.9 → 192.168.25.13  TCP 66 853 → 49708
> > [FIN, ACK] Seq=4500 Ack=514 Win=30208 Len=0 TSval=3653489608
> > TSecr=1081350596
> >   44 0.109656164  192.168.25.13 → 9.9.9.9      TCP 54 49708 → 853
> > [RST] Seq=514 Win=0 Len=0
> >   45 0.109961291  192.168.25.13 → 9.9.9.9      TCP 54 49708 → 853
> > [RST] Seq=514 Win=0 Len=0
> >   49 0.118048710      9.9.9.9 → 192.168.25.13  TCP 74 853 → 49712
> > [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1452 SACK_PERM=1
> > TSval=3653489618 TSecr=1081350607 WS=256
> >   50 0.119914237  192.168.25.13 → 9.9.9.9      TCP 66 49712 → 853
> > [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=1081350620 TSecr=3653489618
> >   51 0.120180988  192.168.25.13 → 9.9.9.9      TLSv1 405 Client
> > Hello
> > 
> > so forget about this subject but thanks for sharing your opinions.
> > 
> > Will go for a checkout if i can find something in knot section...
> > 
> > 
> > Best,
> > 
> > Erik
> > 
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 4317 bytes --]

Just wanted to report that since the update to Core 131 kdig shows
meanwhile also TLSv1.3 correctly.

Best,

Erik


On Do, 2019-03-07 at 10:05 +0100, ummeegge wrote:
> Hi Michael,
> 
> On Do, 2019-03-07 at 08:54 +0000, Michael Tremer wrote:
> > Hi,
> > 
> > Wait, so does that mean that unbound works with TLS 1.3 but kdig
> > doesn’t?
> 
> Yes it strangely looks like. What it makes even more strange that on
> the other machine TLSv1.3 is also detected from kdig. But may you
> remember, some curves on the same servers where differently displayed
> on both machines. tshark shows the same for cloudflare and other not
> TLSv1.3 ready servers are also shown correct with TLSv1.2.
> 
> But which one can now be trust ? Possibly tshark is a little more
> trustworthy IMHO. Am building currently the new knot-2.8.0 version to
> check if things are changing there.
> 
> Best,
> 
> Erik
> 
> > 
> > -Michael
> > 
> > > On 7 Mar 2019, at 04:16, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > 
> > > Hi,
> > > have captured now the traffic with tshark and it seems that
> > > unbound
> > > do
> > > uses TLSv1.3 but kdig seems to be the problem which did not
> > > reflect
> > > this. Shortend output:
> > > 
> > > 5 0.017092078  192.168.25.13 → 9.9.9.9      TLSv1 405 Client
> > > Hello
> > >    9 0.030988995      9.9.9.9 → 192.168.25.13  TLSv1.3 1506
> > > Server
> > > Hello, Change Cipher Spec, Application Data
> > >   10 0.031152498      9.9.9.9 → 192.168.25.13  TLSv1.3 1506
> > > Application Data [TCP segment of a reassembled PDU]
> > >   11 0.031305390      9.9.9.9 → 192.168.25.13  TLSv1.3 195
> > > Application Data, Application Data
> > >   12 0.032631746  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > > [ACK] Seq=340 Ack=1441 Win=32256 Len=0 TSval=1081350533
> > > TSecr=3653489529
> > >   13 0.032703370  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > > [ACK] Seq=340 Ack=2881 Win=35328 Len=0 TSval=1081350533
> > > TSecr=3653489529
> > >   14 0.032834733  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > > [ACK] Seq=340 Ack=3010 Win=37888 Len=0 TSval=1081350534
> > > TSecr=3653489529
> > >   16 0.048498506  192.168.25.13 → 9.9.9.9      TLSv1.3 146 Change
> > > Cipher Spec, Application Data
> > >   26 0.061705575      9.9.9.9 → 192.168.25.13  TLSv1.3 145
> > > Application Data
> > >   27 0.061814933      9.9.9.9 → 192.168.25.13  TLSv1.3 145
> > > Application Data
> > >   28 0.062346891  192.168.25.13 → 9.9.9.9      TLSv1.3 135
> > > Application Data
> > >   31 0.093868737      9.9.9.9 → 192.168.25.13  TLSv1.3 1374
> > > Application Data
> > >   32 0.094863556  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > > [ACK] Seq=489 Ack=4476 Win=40960 Len=0 TSval=1081350596
> > > TSecr=3653489561
> > >   34 0.095815051  192.168.25.13 → 9.9.9.9      TLSv1.3 90
> > > Application Data
> > >   35 0.095889061  192.168.25.13 → 9.9.9.9      TCP 66 49708 → 853
> > > [FIN, ACK] Seq=513 Ack=4476 Win=40960 Len=0 TSval=1081350597
> > > TSecr=3653489561
> > >   39 0.106144908  192.168.25.13 → 9.9.9.9      TCP 74 49712 → 853
> > > [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=1081350607
> > > TSecr=0 WS=512
> > >   42 0.108875164      9.9.9.9 → 192.168.25.13  TLSv1.3 90
> > > Application Data
> > >   43 0.109334250      9.9.9.9 → 192.168.25.13  TCP 66 853 → 49708
> > > [FIN, ACK] Seq=4500 Ack=514 Win=30208 Len=0 TSval=3653489608
> > > TSecr=1081350596
> > >   44 0.109656164  192.168.25.13 → 9.9.9.9      TCP 54 49708 → 853
> > > [RST] Seq=514 Win=0 Len=0
> > >   45 0.109961291  192.168.25.13 → 9.9.9.9      TCP 54 49708 → 853
> > > [RST] Seq=514 Win=0 Len=0
> > >   49 0.118048710      9.9.9.9 → 192.168.25.13  TCP 74 853 → 49712
> > > [SYN, ACK] Seq=0 Ack=1 Win=28960 Len=0 MSS=1452 SACK_PERM=1
> > > TSval=3653489618 TSecr=1081350607 WS=256
> > >   50 0.119914237  192.168.25.13 → 9.9.9.9      TCP 66 49712 → 853
> > > [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=1081350620
> > > TSecr=3653489618
> > >   51 0.120180988  192.168.25.13 → 9.9.9.9      TLSv1 405 Client
> > > Hello
> > > 
> > > so forget about this subject but thanks for sharing your
> > > opinions.
> > > 
> > > Will go for a checkout if i can find something in knot section...
> > > 
> > > 
> > > Best,
> > > 
> > > Erik
> > > 
> > 
> > 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 14748 bytes --]

Hi Michael,

On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote:
> Hi,
> 
> This is a bit weird.
Indeed.

> 
> Does the version of unbound support TLS 1.3? We had to update Apache
> to support TLS 1.3 and we had to just rebuild haproxy to support it,
> too. Since you are running a build of unbound that was built against
> OpenSSL 1.1.1 I would say the latter isn’t likely.
Yes unbound is linked agains OpenSSL-1.1.1a

Version 1.8.3
linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1a  20 Nov 2018
linked modules: dns64 respip validator iterator

Have two machines here running which already includes the new OpenSSL.
One machine uses the OpenSSL-1.1.1a from the first testing days with
the old OpenSSL cipher patch and the other machine is on current
origin/next state with the OpenSSL patch from Peter.

Have tried it today again and the old testing environment (old patch)
seems to work now with TLSv1.3 even the last days it does not...

Output from (let´s call it) the old machine (with the old OpenSSL
patch) with testing results from Quad9 Cloudflare and
Lightningwirelabs:

;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1



;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(9.9.9.9), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
;; DEBUG:      SHA-256 PIN: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 



;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
;; DEBUG:      SHA-256 PIN: V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376
;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1



======================================================================

Tests with the new machine (new OpenSSL patch):

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1


;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(9.9.9.9), port(853), protocol(TCP)
;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
;; DEBUG:      SHA-256 PIN: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1


;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
;; DEBUG:      SHA-256 PIN: V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1



Lightningwirelabs uses on the old machine also ECDHE-X25519 , the new
one only ECDHE-ECDSA-SECP256R1 .


What it makes even more worse is that i´d compiled origin/next a couple
of days ago with the old OpenSSL patch to see if the problem comes from
there but with the same results (no TLSv1.3).

May the providers did disabled TLSv1.3 for a couple of days since at
that time my old machine have had the same TLSv1.2 results ???

Am currently not sure what happens here.


Best,

Erik



> 
> -Michael
> 
> > On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi all,
> > did an fresh install from origin/next of Core 128 with the new
> > OpenSSL-
> > 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
> > points out that the TLS sessions operates only with TLSv1.2 instaed
> > of
> > the new delivered TLSv1.3 .
> > 
> > A test with Cloudflair (which uses TLSv1.3) looks like this -->
> > 
> > kdig Test:
> > 
> > 
> > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > server(1.1.1.1), port(853), protocol(TCP)
> > ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
> > bundle.crt'
> > ;; DEBUG: TLS, received certificate hierarchy:
> > ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
> > Inc.,CN=cloudflare-dns.com
> > ;; DEBUG:      SHA-256 PIN:
> > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> > ;; DEBUG:      SHA-256 PIN:
> > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > ;; DEBUG: TLS, skipping certificate PIN check
> > ;; DEBUG: TLS, The certificate is trusted. 
> > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > ADDITIONAL: 1
> > 
> > ;; EDNS PSEUDOSECTION:
> > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> > ;; PADDING: 239 B
> > 
> > ;; QUESTION SECTION:
> > ;; www.isoc.org.       		IN	A
> > 
> > ;; ANSWER SECTION:
> > www.isoc.org.       	300	IN	A	46.43.36.222
> > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > 20190224085001 20190210085001 45830 isoc.org.
> > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCP
> > OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvt
> > l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> > 
> > ;; Received 468 B
> > ;; Time 2019-02-10 12:40:19 CET
> > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> > 
> > 
> > 
> > And a test with s_client:
> > 
> > [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> > CONNECTED(00000003)
> > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > DigiCert Global Root CA
> > verify return:1
> > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > CA
> > verify return:1
> > depth=0 C = US, ST = California, L = San Francisco, O =
> > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > verify return:1
> > ---
> > Certificate chain
> > 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare,
> > Inc.", CN = cloudflare-dns.com
> >   i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> >   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> > Global Root CA
> > ---
> > Server certificate
> > -----BEGIN CERTIFICATE-----
> > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
> > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
> > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
> > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
> > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
> > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
> > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
> > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
> > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
> > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
> > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
> > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
> > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
> > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
> > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
> > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
> > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
> > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
> > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
> > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
> > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
> > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
> > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
> > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
> > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
> > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
> > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
> > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
> > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
> > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
> > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> > -----END CERTIFICATE-----
> > subject=C = US, ST = California, L = San Francisco, O =
> > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > 
> > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> > 
> > ---
> > No client certificate CA names sent
> > Peer signing digest: SHA256
> > Peer signature type: ECDSA
> > Server Temp Key: X25519, 253 bits
> > ---
> > SSL handshake has read 2787 bytes and written 421 bytes
> > Verification: OK
> > ---
> > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> > Server public key is 256 bit
> > Secure Renegotiation IS NOT supported
> > Compression: NONE
> > Expansion: NONE
> > No ALPN negotiated
> > Early data was not sent
> > Verify return code: 0 (ok)
> > ---
> > ---
> > Post-Handshake New Session Ticket arrived:
> > SSL-Session:
> >    Protocol  : TLSv1.3
> >    Cipher    : TLS_CHACHA20_POLY1305_SHA256
> >    Session-ID:
> > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
> >    Session-ID-ctx: 
> >    Resumption PSK:
> > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
> >    PSK identity: None
> >    PSK identity hint: None
> >    TLS session ticket lifetime hint: 21600 (seconds)
> >    TLS session ticket:
> >    0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> > 00   ................
> >    0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> > 6b   ...........}...k
> >    0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> > 23   ..1Uw..\.......#
> >    0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> > 3d   ....3]...u.hg.W=
> >    0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> > ff   .qk."......7bi..
> >    0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> > d9   Zx).........c...
> >    0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> > cb   ;.p8V.jC....].~.
> >    0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> > 06   .c..1qa.D.....C.
> >    0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> > 0e   .....>.2....F...
> >    0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> > 1b   ty.$.\....,.K...
> >    00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> > 07   }.=.jX.NA..)....
> >    00b0 - e1 92 dd 8d 44 69                                 ....Di
> > 
> >    Start Time: 1549799117
> >    Timeout   : 7200 (sec)
> >    Verify return code: 0 (ok)
> >    Extended master secret: no
> >    Max Early Data: 0
> > ---
> > read R BLOCK
> > closed
> > 
> > 
> > Which seems strange to me since Cloudflair offers TLSv1.3 but
> > unbound initializes only TLSv1.2 .
> > 
> > Have check all working DoT servers from here --> 
> > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> > too,
> > but no TLSv1.3 at all...
> > 
> > 
> > Did someone have similar behaviors ?
> > 
> > Best,
> > 
> > Erik
> > 
> > 
> > 
> > 
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 15250 bytes --]

Hi,

Just for the protocol. The Lightning Wire Labs resolver currently only supports TLS 1.2.

Just in case you were expecting TLS 1.3 from it.

Best,
-Michael

> On 14 Feb 2019, at 06:57, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote:
>> Hi,
>> 
>> This is a bit weird.
> Indeed.
> 
>> 
>> Does the version of unbound support TLS 1.3? We had to update Apache
>> to support TLS 1.3 and we had to just rebuild haproxy to support it,
>> too. Since you are running a build of unbound that was built against
>> OpenSSL 1.1.1 I would say the latter isn’t likely.
> Yes unbound is linked agains OpenSSL-1.1.1a
> 
> Version 1.8.3
> linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1a  20 Nov 2018
> linked modules: dns64 respip validator iterator
> 
> Have two machines here running which already includes the new OpenSSL.
> One machine uses the OpenSSL-1.1.1a from the first testing days with
> the old OpenSSL cipher patch and the other machine is on current
> origin/next state with the OpenSSL patch from Peter.
> 
> Have tried it today again and the old testing environment (old patch)
> seems to work now with TLSv1.3 even the last days it does not...
> 
> Output from (let´s call it) the old machine (with the old OpenSSL
> patch) with testing results from Quad9 Cloudflare and
> Lightningwirelabs:
> 
> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
> ;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912
> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
> 
> 
> 
> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(9.9.9.9), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> ;; DEBUG:      SHA-256 PIN: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085
> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 
> 
> 
> 
> ;; DEBUG: Querying for owner(google.com.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> ;; DEBUG:      SHA-256 PIN: V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
> ;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-(CHACHA20-POLY1305)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376
> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 1
> 
> 
> 
> ======================================================================
> 
> Tests with the new machine (new OpenSSL patch):
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
> ;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
> 
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(9.9.9.9), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> ;; DEBUG:      SHA-256 PIN: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
> 
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(81.3.27.54), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> ;; DEBUG:      SHA-256 PIN: V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
> ;; DEBUG:      SHA-256 PIN: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
> 
> 
> 
> Lightningwirelabs uses on the old machine also ECDHE-X25519 , the new
> one only ECDHE-ECDSA-SECP256R1 .
> 
> 
> What it makes even more worse is that i´d compiled origin/next a couple
> of days ago with the old OpenSSL patch to see if the problem comes from
> there but with the same results (no TLSv1.3).
> 
> May the providers did disabled TLSv1.3 for a couple of days since at
> that time my old machine have had the same TLSv1.2 results ???
> 
> Am currently not sure what happens here.
> 
> 
> Best,
> 
> Erik
> 
> 
> 
>> 
>> -Michael
>> 
>>> On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
>>> 
>>> Hi all,
>>> did an fresh install from origin/next of Core 128 with the new
>>> OpenSSL-
>>> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
>>> points out that the TLS sessions operates only with TLSv1.2 instaed
>>> of
>>> the new delivered TLSv1.3 .
>>> 
>>> A test with Cloudflair (which uses TLSv1.3) looks like this -->
>>> 
>>> kdig Test:
>>> 
>>> 
>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>> server(1.1.1.1), port(853), protocol(TCP)
>>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
>>> bundle.crt'
>>> ;; DEBUG: TLS, received certificate hierarchy:
>>> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
>>> Inc.,CN=cloudflare-dns.com
>>> ;; DEBUG:      SHA-256 PIN:
>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
>>> ;; DEBUG:      SHA-256 PIN:
>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>> ;; DEBUG: TLS, skipping certificate PIN check
>>> ;; DEBUG: TLS, The certificate is trusted. 
>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>> ADDITIONAL: 1
>>> 
>>> ;; EDNS PSEUDOSECTION:
>>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
>>> ;; PADDING: 239 B
>>> 
>>> ;; QUESTION SECTION:
>>> ;; www.isoc.org.       		IN	A
>>> 
>>> ;; ANSWER SECTION:
>>> www.isoc.org.       	300	IN	A	46.43.36.222
>>> www.isoc.org.       	300	IN	RRSIG	A 7 3 300
>>> 20190224085001 20190210085001 45830 isoc.org.
>>> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCP
>>> OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvt
>>> l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
>>> 
>>> ;; Received 468 B
>>> ;; Time 2019-02-10 12:40:19 CET
>>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
>>> 
>>> 
>>> 
>>> And a test with s_client:
>>> 
>>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
>>> CONNECTED(00000003)
>>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
>>> DigiCert Global Root CA
>>> verify return:1
>>> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
>>> CA
>>> verify return:1
>>> depth=0 C = US, ST = California, L = San Francisco, O =
>>> "Cloudflare, Inc.", CN = cloudflare-dns.com
>>> verify return:1
>>> ---
>>> Certificate chain
>>> 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare,
>>> Inc.", CN = cloudflare-dns.com
>>>  i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>>  i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
>>> Global Root CA
>>> ---
>>> Server certificate
>>> -----BEGIN CERTIFICATE-----
>>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
>>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
>>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
>>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
>>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
>>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
>>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
>>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
>>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
>>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
>>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
>>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
>>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
>>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
>>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
>>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
>>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
>>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
>>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
>>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
>>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
>>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
>>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
>>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
>>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
>>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
>>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
>>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
>>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
>>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
>>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
>>> -----END CERTIFICATE-----
>>> subject=C = US, ST = California, L = San Francisco, O =
>>> "Cloudflare, Inc.", CN = cloudflare-dns.com
>>> 
>>> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>> 
>>> ---
>>> No client certificate CA names sent
>>> Peer signing digest: SHA256
>>> Peer signature type: ECDSA
>>> Server Temp Key: X25519, 253 bits
>>> ---
>>> SSL handshake has read 2787 bytes and written 421 bytes
>>> Verification: OK
>>> ---
>>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
>>> Server public key is 256 bit
>>> Secure Renegotiation IS NOT supported
>>> Compression: NONE
>>> Expansion: NONE
>>> No ALPN negotiated
>>> Early data was not sent
>>> Verify return code: 0 (ok)
>>> ---
>>> ---
>>> Post-Handshake New Session Ticket arrived:
>>> SSL-Session:
>>>   Protocol  : TLSv1.3
>>>   Cipher    : TLS_CHACHA20_POLY1305_SHA256
>>>   Session-ID:
>>> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
>>>   Session-ID-ctx: 
>>>   Resumption PSK:
>>> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
>>>   PSK identity: None
>>>   PSK identity hint: None
>>>   TLS session ticket lifetime hint: 21600 (seconds)
>>>   TLS session ticket:
>>>   0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
>>> 00   ................
>>>   0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
>>> 6b   ...........}...k
>>>   0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
>>> 23   ..1Uw..\.......#
>>>   0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
>>> 3d   ....3]...u.hg.W=
>>>   0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
>>> ff   .qk."......7bi..
>>>   0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
>>> d9   Zx).........c...
>>>   0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
>>> cb   ;.p8V.jC....].~.
>>>   0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
>>> 06   .c..1qa.D.....C.
>>>   0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
>>> 0e   .....>.2....F...
>>>   0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
>>> 1b   ty.$.\....,.K...
>>>   00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
>>> 07   }.=.jX.NA..)....
>>>   00b0 - e1 92 dd 8d 44 69                                 ....Di
>>> 
>>>   Start Time: 1549799117
>>>   Timeout   : 7200 (sec)
>>>   Verify return code: 0 (ok)
>>>   Extended master secret: no
>>>   Max Early Data: 0
>>> ---
>>> read R BLOCK
>>> closed
>>> 
>>> 
>>> Which seems strange to me since Cloudflair offers TLSv1.3 but
>>> unbound initializes only TLSv1.2 .
>>> 
>>> Have check all working DoT servers from here --> 
>>> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
>>> too,
>>> but no TLSv1.3 at all...
>>> 
>>> 
>>> Did someone have similar behaviors ?
>>> 
>>> Best,
>>> 
>>> Erik
>>> 
>>> 
>>> 
>>> 
>> 
>> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 17239 bytes --]

Hi Michael,

On Do, 2019-02-14 at 11:08 +0000, Michael Tremer wrote:
> Hi,
> 
> Just for the protocol. The Lightning Wire Labs resolver currently
> only supports TLS 1.2.
yes i know but the strange thing is -->

> 
> Just in case you were expecting TLS 1.3 from it.
No not TLS 1.3 but 'ECDHE-X25519' . Strangely on the origin/next
machine where no TLSv1.3 is used it offers also only 'ECDHE-ECDSA-
SECP256R1' have wrote you that already in the 'Kicking of DoT' topic.
It seems somehow related to another. The other machine (old patch <--
not sure if it has something to do with this) have no problems with
TLSv1.3 but uses also TLSv1.2 with 'ECDHE-X25519' for
Lightningwirelabs.

Smells a little fishy and am not sure if it is a fate of an individual.

Best,

Erik

> 
> Best,
> -Michael
> 
> > On 14 Feb 2019, at 06:57, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi Michael,
> > 
> > On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote:
> > > Hi,
> > > 
> > > This is a bit weird.
> > 
> > Indeed.
> > 
> > > 
> > > Does the version of unbound support TLS 1.3? We had to update
> > > Apache
> > > to support TLS 1.3 and we had to just rebuild haproxy to support
> > > it,
> > > too. Since you are running a build of unbound that was built
> > > against
> > > OpenSSL 1.1.1 I would say the latter isn’t likely.
> > 
> > Yes unbound is linked agains OpenSSL-1.1.1a
> > 
> > Version 1.8.3
> > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
> > 1.1.1a  20 Nov 2018
> > linked modules: dns64 respip validator iterator
> > 
> > Have two machines here running which already includes the new
> > OpenSSL.
> > One machine uses the OpenSSL-1.1.1a from the first testing days
> > with
> > the old OpenSSL cipher patch and the other machine is on current
> > origin/next state with the OpenSSL patch from Peter.
> > 
> > Have tried it today again and the old testing environment (old
> > patch)
> > seems to work now with TLSv1.3 even the last days it does not...
> > 
> > Output from (let´s call it) the old machine (with the old OpenSSL
> > patch) with testing results from Quad9 Cloudflare and
> > Lightningwirelabs:
> > 
> > ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> > server(1.1.1.1), port(853), protocol(TCP)
> > ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
> > bundle.crt'
> > ;; DEBUG: TLS, received certificate hierarchy:
> > ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
> > Inc.,CN=cloudflare-dns.com
> > ;; DEBUG:      SHA-256 PIN:
> > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> > ;; DEBUG:      SHA-256 PIN:
> > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > ;; DEBUG: TLS, skipping certificate PIN check
> > ;; DEBUG: TLS, The certificate is trusted. 
> > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-
> > (AES-256-GCM)
> > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912
> > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL:
> > 1
> > 
> > 
> > 
> > ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> > server(9.9.9.9), port(853), protocol(TCP)
> > ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
> > bundle.crt'
> > ;; DEBUG: TLS, received certificate hierarchy:
> > ;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > ;; DEBUG:      SHA-256 PIN:
> > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> > ;; DEBUG:      SHA-256 PIN:
> > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > ;; DEBUG: TLS, skipping certificate PIN check
> > ;; DEBUG: TLS, The certificate is trusted. 
> > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-
> > (AES-256-GCM)
> > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085
> > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 
> > 
> > 
> > 
> > ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> > server(81.3.27.54), port(853), protocol(TCP)
> > ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
> > bundle.crt'
> > ;; DEBUG: TLS, received certificate hierarchy:
> > ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> > ;; DEBUG:      SHA-256 PIN:
> > V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
> > ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
> > ;; DEBUG:      SHA-256 PIN:
> > YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> > ;; DEBUG: TLS, skipping certificate PIN check
> > ;; DEBUG: TLS, The certificate is trusted. 
> > ;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-(CHACHA20-
> > POLY1305)
> > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376
> > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL:
> > 1
> > 
> > 
> > 
> > ===================================================================
> > ===
> > 
> > Tests with the new machine (new OpenSSL patch):
> > 
> > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > server(1.1.1.1), port(853), protocol(TCP)
> > ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
> > bundle.crt'
> > ;; DEBUG: TLS, received certificate hierarchy:
> > ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
> > Inc.,CN=cloudflare-dns.com
> > ;; DEBUG:      SHA-256 PIN:
> > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> > ;; DEBUG:      SHA-256 PIN:
> > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > ;; DEBUG: TLS, skipping certificate PIN check
> > ;; DEBUG: TLS, The certificate is trusted. 
> > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817
> > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > ADDITIONAL: 1
> > 
> > 
> > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > server(9.9.9.9), port(853), protocol(TCP)
> > ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
> > bundle.crt'
> > ;; DEBUG: TLS, received certificate hierarchy:
> > ;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > ;; DEBUG:      SHA-256 PIN:
> > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> > ;; DEBUG:      SHA-256 PIN:
> > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > ;; DEBUG: TLS, skipping certificate PIN check
> > ;; DEBUG: TLS, The certificate is trusted. 
> > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
> > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679
> > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > ADDITIONAL: 1
> > 
> > 
> > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > server(81.3.27.54), port(853), protocol(TCP)
> > ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
> > bundle.crt'
> > ;; DEBUG: TLS, received certificate hierarchy:
> > ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> > ;; DEBUG:      SHA-256 PIN:
> > V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
> > ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
> > ;; DEBUG:      SHA-256 PIN:
> > YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> > ;; DEBUG: TLS, skipping certificate PIN check
> > ;; DEBUG: TLS, The certificate is trusted. 
> > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
> > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685
> > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > ADDITIONAL: 1
> > 
> > 
> > 
> > Lightningwirelabs uses on the old machine also ECDHE-X25519 , the
> > new
> > one only ECDHE-ECDSA-SECP256R1 .
> > 
> > 
> > What it makes even more worse is that i´d compiled origin/next a
> > couple
> > of days ago with the old OpenSSL patch to see if the problem comes
> > from
> > there but with the same results (no TLSv1.3).
> > 
> > May the providers did disabled TLSv1.3 for a couple of days since
> > at
> > that time my old machine have had the same TLSv1.2 results ???
> > 
> > Am currently not sure what happens here.
> > 
> > 
> > Best,
> > 
> > Erik
> > 
> > 
> > 
> > > 
> > > -Michael
> > > 
> > > > On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > > 
> > > > Hi all,
> > > > did an fresh install from origin/next of Core 128 with the new
> > > > OpenSSL-
> > > > 1.1.1a . Have checked also DNS-over-TLS which works well but
> > > > kdig
> > > > points out that the TLS sessions operates only with TLSv1.2
> > > > instaed
> > > > of
> > > > the new delivered TLSv1.3 .
> > > > 
> > > > A test with Cloudflair (which uses TLSv1.3) looks like this -->
> > > > 
> > > > kdig Test:
> > > > 
> > > > 
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > Francisco,O=Cloudflare\,
> > > > Inc.,CN=cloudflare-dns.com
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > > 
> > > > ;; EDNS PSEUDOSECTION:
> > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> > > > ;; PADDING: 239 B
> > > > 
> > > > ;; QUESTION SECTION:
> > > > ;; www.isoc.org.       		IN	A
> > > > 
> > > > ;; ANSWER SECTION:
> > > > www.isoc.org.       	300	IN	A	46.43.36.222
> > > > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > > > 20190224085001 20190210085001 45830 isoc.org.
> > > > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0Nx
> > > > OGCP
> > > > OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPe
> > > > rUvt
> > > > l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> > > > 
> > > > ;; Received 468 B
> > > > ;; Time 2019-02-10 12:40:19 CET
> > > > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> > > > 
> > > > 
> > > > 
> > > > And a test with s_client:
> > > > 
> > > > [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> > > > CONNECTED(00000003)
> > > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > DigiCert Global Root CA
> > > > verify return:1
> > > > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > Server
> > > > CA
> > > > verify return:1
> > > > depth=0 C = US, ST = California, L = San Francisco, O =
> > > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > > verify return:1
> > > > ---
> > > > Certificate chain
> > > > 0 s:C = US, ST = California, L = San Francisco, O =
> > > > "Cloudflare,
> > > > Inc.", CN = cloudflare-dns.com
> > > >  i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> > > > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > > CA
> > > >  i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > DigiCert
> > > > Global Root CA
> > > > ---
> > > > Server certificate
> > > > -----BEGIN CERTIFICATE-----
> > > > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQs
> > > > w
> > > > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWd
> > > > p
> > > > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTA
> > > > y
> > > > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRY
> > > > w
> > > > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmM
> > > > u
> > > > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkj
> > > > O
> > > > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMu
> > > > P
> > > > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53
> > > > m
> > > > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+
> > > > g
> > > > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJ
> > > > l
> > > > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZ
> > > > H
> > > > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAA
> > > > A
> > > > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4A
> > > > w
> > > > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCq
> > > > G
> > > > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCq
> > > > G
> > > > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0
> > > > g
> > > > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGl
> > > > n
> > > > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQU
> > > > F
> > > > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA
> > > > 6
> > > > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckN
> > > > B
> > > > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgC
> > > > k
> > > > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEU
> > > > C
> > > > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2e
> > > > O
> > > > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWD
> > > > B
> > > > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs
> > > > /
> > > > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALv
> > > > Z
> > > > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgI
> > > > h
> > > > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk
> > > > 7
> > > > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMu
> > > > r
> > > > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz
> > > > 1
> > > > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> > > > -----END CERTIFICATE-----
> > > > subject=C = US, ST = California, L = San Francisco, O =
> > > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > > 
> > > > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > Server CA
> > > > 
> > > > ---
> > > > No client certificate CA names sent
> > > > Peer signing digest: SHA256
> > > > Peer signature type: ECDSA
> > > > Server Temp Key: X25519, 253 bits
> > > > ---
> > > > SSL handshake has read 2787 bytes and written 421 bytes
> > > > Verification: OK
> > > > ---
> > > > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> > > > Server public key is 256 bit
> > > > Secure Renegotiation IS NOT supported
> > > > Compression: NONE
> > > > Expansion: NONE
> > > > No ALPN negotiated
> > > > Early data was not sent
> > > > Verify return code: 0 (ok)
> > > > ---
> > > > ---
> > > > Post-Handshake New Session Ticket arrived:
> > > > SSL-Session:
> > > >   Protocol  : TLSv1.3
> > > >   Cipher    : TLS_CHACHA20_POLY1305_SHA256
> > > >   Session-ID:
> > > > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C0
> > > > 1
> > > >   Session-ID-ctx: 
> > > >   Resumption PSK:
> > > > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C
> > > > 7
> > > >   PSK identity: None
> > > >   PSK identity hint: None
> > > >   TLS session ticket lifetime hint: 21600 (seconds)
> > > >   TLS session ticket:
> > > >   0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> > > > 00   ................
> > > >   0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> > > > 6b   ...........}...k
> > > >   0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> > > > 23   ..1Uw..\.......#
> > > >   0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> > > > 3d   ....3]...u.hg.W=
> > > >   0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> > > > ff   .qk."......7bi..
> > > >   0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> > > > d9   Zx).........c...
> > > >   0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> > > > cb   ;.p8V.jC....].~.
> > > >   0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> > > > 06   .c..1qa.D.....C.
> > > >   0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> > > > 0e   .....>.2....F...
> > > >   0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> > > > 1b   ty.$.\....,.K...
> > > >   00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> > > > 07   }.=.jX.NA..)....
> > > >   00b0 - e1 92 dd 8d 44
> > > > 69                                 ....Di
> > > > 
> > > >   Start Time: 1549799117
> > > >   Timeout   : 7200 (sec)
> > > >   Verify return code: 0 (ok)
> > > >   Extended master secret: no
> > > >   Max Early Data: 0
> > > > ---
> > > > read R BLOCK
> > > > closed
> > > > 
> > > > 
> > > > Which seems strange to me since Cloudflair offers TLSv1.3 but
> > > > unbound initializes only TLSv1.2 .
> > > > 
> > > > Have check all working DoT servers from here --> 
> > > > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> > > > too,
> > > > but no TLSv1.3 at all...
> > > > 
> > > > 
> > > > Did someone have similar behaviors ?
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> > > > 
> > > > 
> > > > 
> > > > 
> > > 
> > > 
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 17198 bytes --]

Hey,

I am getting this when I am connecting:

New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
Server public key is 384 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384

I did not configure anything else than the defaults.

-Michael

> On 14 Feb 2019, at 11:28, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> On Do, 2019-02-14 at 11:08 +0000, Michael Tremer wrote:
>> Hi,
>> 
>> Just for the protocol. The Lightning Wire Labs resolver currently
>> only supports TLS 1.2.
> yes i know but the strange thing is -->
> 
>> 
>> Just in case you were expecting TLS 1.3 from it.
> No not TLS 1.3 but 'ECDHE-X25519' . Strangely on the origin/next
> machine where no TLSv1.3 is used it offers also only 'ECDHE-ECDSA-
> SECP256R1' have wrote you that already in the 'Kicking of DoT' topic.
> It seems somehow related to another. The other machine (old patch <--
> not sure if it has something to do with this) have no problems with
> TLSv1.3 but uses also TLSv1.2 with 'ECDHE-X25519' for
> Lightningwirelabs.
> 
> Smells a little fishy and am not sure if it is a fate of an individual.
> 
> Best,
> 
> Erik
> 
>> 
>> Best,
>> -Michael
>> 
>>> On 14 Feb 2019, at 06:57, ummeegge <ummeegge(a)ipfire.org> wrote:
>>> 
>>> Hi Michael,
>>> 
>>> On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote:
>>>> Hi,
>>>> 
>>>> This is a bit weird.
>>> 
>>> Indeed.
>>> 
>>>> 
>>>> Does the version of unbound support TLS 1.3? We had to update
>>>> Apache
>>>> to support TLS 1.3 and we had to just rebuild haproxy to support
>>>> it,
>>>> too. Since you are running a build of unbound that was built
>>>> against
>>>> OpenSSL 1.1.1 I would say the latter isn’t likely.
>>> 
>>> Yes unbound is linked agains OpenSSL-1.1.1a
>>> 
>>> Version 1.8.3
>>> linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
>>> 1.1.1a  20 Nov 2018
>>> linked modules: dns64 respip validator iterator
>>> 
>>> Have two machines here running which already includes the new
>>> OpenSSL.
>>> One machine uses the OpenSSL-1.1.1a from the first testing days
>>> with
>>> the old OpenSSL cipher patch and the other machine is on current
>>> origin/next state with the OpenSSL patch from Peter.
>>> 
>>> Have tried it today again and the old testing environment (old
>>> patch)
>>> seems to work now with TLSv1.3 even the last days it does not...
>>> 
>>> Output from (let´s call it) the old machine (with the old OpenSSL
>>> patch) with testing results from Quad9 Cloudflare and
>>> Lightningwirelabs:
>>> 
>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
>>> server(1.1.1.1), port(853), protocol(TCP)
>>> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
>>> bundle.crt'
>>> ;; DEBUG: TLS, received certificate hierarchy:
>>> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
>>> Inc.,CN=cloudflare-dns.com
>>> ;; DEBUG:      SHA-256 PIN:
>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
>>> ;; DEBUG:      SHA-256 PIN:
>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>> ;; DEBUG: TLS, skipping certificate PIN check
>>> ;; DEBUG: TLS, The certificate is trusted. 
>>> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-
>>> (AES-256-GCM)
>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912
>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL:
>>> 1
>>> 
>>> 
>>> 
>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
>>> server(9.9.9.9), port(853), protocol(TCP)
>>> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
>>> bundle.crt'
>>> ;; DEBUG: TLS, received certificate hierarchy:
>>> ;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
>>> ;; DEBUG:      SHA-256 PIN:
>>> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
>>> ;; DEBUG:      SHA-256 PIN:
>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>> ;; DEBUG: TLS, skipping certificate PIN check
>>> ;; DEBUG: TLS, The certificate is trusted. 
>>> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-
>>> (AES-256-GCM)
>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085
>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL: 
>>> 
>>> 
>>> 
>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
>>> server(81.3.27.54), port(853), protocol(TCP)
>>> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
>>> bundle.crt'
>>> ;; DEBUG: TLS, received certificate hierarchy:
>>> ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
>>> ;; DEBUG:      SHA-256 PIN:
>>> V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
>>> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
>>> ;; DEBUG:      SHA-256 PIN:
>>> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
>>> ;; DEBUG: TLS, skipping certificate PIN check
>>> ;; DEBUG: TLS, The certificate is trusted. 
>>> ;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-(CHACHA20-
>>> POLY1305)
>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376
>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0; ADDITIONAL:
>>> 1
>>> 
>>> 
>>> 
>>> ===================================================================
>>> ===
>>> 
>>> Tests with the new machine (new OpenSSL patch):
>>> 
>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>> server(1.1.1.1), port(853), protocol(TCP)
>>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
>>> bundle.crt'
>>> ;; DEBUG: TLS, received certificate hierarchy:
>>> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
>>> Inc.,CN=cloudflare-dns.com
>>> ;; DEBUG:      SHA-256 PIN:
>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
>>> ;; DEBUG:      SHA-256 PIN:
>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>> ;; DEBUG: TLS, skipping certificate PIN check
>>> ;; DEBUG: TLS, The certificate is trusted. 
>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817
>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>> ADDITIONAL: 1
>>> 
>>> 
>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>> server(9.9.9.9), port(853), protocol(TCP)
>>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
>>> bundle.crt'
>>> ;; DEBUG: TLS, received certificate hierarchy:
>>> ;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
>>> ;; DEBUG:      SHA-256 PIN:
>>> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
>>> ;; DEBUG:      SHA-256 PIN:
>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>> ;; DEBUG: TLS, skipping certificate PIN check
>>> ;; DEBUG: TLS, The certificate is trusted. 
>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679
>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>> ADDITIONAL: 1
>>> 
>>> 
>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>> server(81.3.27.54), port(853), protocol(TCP)
>>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
>>> bundle.crt'
>>> ;; DEBUG: TLS, received certificate hierarchy:
>>> ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
>>> ;; DEBUG:      SHA-256 PIN:
>>> V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
>>> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority X3
>>> ;; DEBUG:      SHA-256 PIN:
>>> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
>>> ;; DEBUG: TLS, skipping certificate PIN check
>>> ;; DEBUG: TLS, The certificate is trusted. 
>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685
>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>> ADDITIONAL: 1
>>> 
>>> 
>>> 
>>> Lightningwirelabs uses on the old machine also ECDHE-X25519 , the
>>> new
>>> one only ECDHE-ECDSA-SECP256R1 .
>>> 
>>> 
>>> What it makes even more worse is that i´d compiled origin/next a
>>> couple
>>> of days ago with the old OpenSSL patch to see if the problem comes
>>> from
>>> there but with the same results (no TLSv1.3).
>>> 
>>> May the providers did disabled TLSv1.3 for a couple of days since
>>> at
>>> that time my old machine have had the same TLSv1.2 results ???
>>> 
>>> Am currently not sure what happens here.
>>> 
>>> 
>>> Best,
>>> 
>>> Erik
>>> 
>>> 
>>> 
>>>> 
>>>> -Michael
>>>> 
>>>>> On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>>> 
>>>>> Hi all,
>>>>> did an fresh install from origin/next of Core 128 with the new
>>>>> OpenSSL-
>>>>> 1.1.1a . Have checked also DNS-over-TLS which works well but
>>>>> kdig
>>>>> points out that the TLS sessions operates only with TLSv1.2
>>>>> instaed
>>>>> of
>>>>> the new delivered TLSv1.3 .
>>>>> 
>>>>> A test with Cloudflair (which uses TLSv1.3) looks like this -->
>>>>> 
>>>>> kdig Test:
>>>>> 
>>>>> 
>>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>>>> server(1.1.1.1), port(853), protocol(TCP)
>>>>> ;; DEBUG: TLS, imported 135 certificates from
>>>>> '/etc/ssl/certs/ca-
>>>>> bundle.crt'
>>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>>> ;; DEBUG:  #1, C=US,ST=California,L=San
>>>>> Francisco,O=Cloudflare\,
>>>>> Inc.,CN=cloudflare-dns.com
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>>>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
>>>>> Server CA
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
>>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>>>> ADDITIONAL: 1
>>>>> 
>>>>> ;; EDNS PSEUDOSECTION:
>>>>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
>>>>> ;; PADDING: 239 B
>>>>> 
>>>>> ;; QUESTION SECTION:
>>>>> ;; www.isoc.org.       		IN	A
>>>>> 
>>>>> ;; ANSWER SECTION:
>>>>> www.isoc.org.       	300	IN	A	46.43.36.222
>>>>> www.isoc.org.       	300	IN	RRSIG	A 7 3 300
>>>>> 20190224085001 20190210085001 45830 isoc.org.
>>>>> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0Nx
>>>>> OGCP
>>>>> OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPe
>>>>> rUvt
>>>>> l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
>>>>> 
>>>>> ;; Received 468 B
>>>>> ;; Time 2019-02-10 12:40:19 CET
>>>>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
>>>>> 
>>>>> 
>>>>> 
>>>>> And a test with s_client:
>>>>> 
>>>>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
>>>>> CONNECTED(00000003)
>>>>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
>>>>> DigiCert Global Root CA
>>>>> verify return:1
>>>>> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
>>>>> Server
>>>>> CA
>>>>> verify return:1
>>>>> depth=0 C = US, ST = California, L = San Francisco, O =
>>>>> "Cloudflare, Inc.", CN = cloudflare-dns.com
>>>>> verify return:1
>>>>> ---
>>>>> Certificate chain
>>>>> 0 s:C = US, ST = California, L = San Francisco, O =
>>>>> "Cloudflare,
>>>>> Inc.", CN = cloudflare-dns.com
>>>>> i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>>>> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
>>>>> CA
>>>>> i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
>>>>> DigiCert
>>>>> Global Root CA
>>>>> ---
>>>>> Server certificate
>>>>> -----BEGIN CERTIFICATE-----
>>>>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQs
>>>>> w
>>>>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWd
>>>>> p
>>>>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTA
>>>>> y
>>>>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRY
>>>>> w
>>>>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmM
>>>>> u
>>>>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkj
>>>>> O
>>>>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMu
>>>>> P
>>>>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53
>>>>> m
>>>>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+
>>>>> g
>>>>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJ
>>>>> l
>>>>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZ
>>>>> H
>>>>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAA
>>>>> A
>>>>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4A
>>>>> w
>>>>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCq
>>>>> G
>>>>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCq
>>>>> G
>>>>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0
>>>>> g
>>>>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGl
>>>>> n
>>>>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQU
>>>>> F
>>>>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA
>>>>> 6
>>>>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckN
>>>>> B
>>>>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgC
>>>>> k
>>>>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEU
>>>>> C
>>>>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2e
>>>>> O
>>>>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWD
>>>>> B
>>>>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs
>>>>> /
>>>>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALv
>>>>> Z
>>>>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgI
>>>>> h
>>>>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk
>>>>> 7
>>>>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMu
>>>>> r
>>>>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz
>>>>> 1
>>>>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
>>>>> -----END CERTIFICATE-----
>>>>> subject=C = US, ST = California, L = San Francisco, O =
>>>>> "Cloudflare, Inc.", CN = cloudflare-dns.com
>>>>> 
>>>>> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
>>>>> Server CA
>>>>> 
>>>>> ---
>>>>> No client certificate CA names sent
>>>>> Peer signing digest: SHA256
>>>>> Peer signature type: ECDSA
>>>>> Server Temp Key: X25519, 253 bits
>>>>> ---
>>>>> SSL handshake has read 2787 bytes and written 421 bytes
>>>>> Verification: OK
>>>>> ---
>>>>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
>>>>> Server public key is 256 bit
>>>>> Secure Renegotiation IS NOT supported
>>>>> Compression: NONE
>>>>> Expansion: NONE
>>>>> No ALPN negotiated
>>>>> Early data was not sent
>>>>> Verify return code: 0 (ok)
>>>>> ---
>>>>> ---
>>>>> Post-Handshake New Session Ticket arrived:
>>>>> SSL-Session:
>>>>>  Protocol  : TLSv1.3
>>>>>  Cipher    : TLS_CHACHA20_POLY1305_SHA256
>>>>>  Session-ID:
>>>>> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C0
>>>>> 1
>>>>>  Session-ID-ctx: 
>>>>>  Resumption PSK:
>>>>> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C
>>>>> 7
>>>>>  PSK identity: None
>>>>>  PSK identity hint: None
>>>>>  TLS session ticket lifetime hint: 21600 (seconds)
>>>>>  TLS session ticket:
>>>>>  0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
>>>>> 00   ................
>>>>>  0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
>>>>> 6b   ...........}...k
>>>>>  0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
>>>>> 23   ..1Uw..\.......#
>>>>>  0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
>>>>> 3d   ....3]...u.hg.W=
>>>>>  0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
>>>>> ff   .qk."......7bi..
>>>>>  0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
>>>>> d9   Zx).........c...
>>>>>  0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
>>>>> cb   ;.p8V.jC....].~.
>>>>>  0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
>>>>> 06   .c..1qa.D.....C.
>>>>>  0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
>>>>> 0e   .....>.2....F...
>>>>>  0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
>>>>> 1b   ty.$.\....,.K...
>>>>>  00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
>>>>> 07   }.=.jX.NA..)....
>>>>>  00b0 - e1 92 dd 8d 44
>>>>> 69                                 ....Di
>>>>> 
>>>>>  Start Time: 1549799117
>>>>>  Timeout   : 7200 (sec)
>>>>>  Verify return code: 0 (ok)
>>>>>  Extended master secret: no
>>>>>  Max Early Data: 0
>>>>> ---
>>>>> read R BLOCK
>>>>> closed
>>>>> 
>>>>> 
>>>>> Which seems strange to me since Cloudflair offers TLSv1.3 but
>>>>> unbound initializes only TLSv1.2 .
>>>>> 
>>>>> Have check all working DoT servers from here --> 
>>>>> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
>>>>> too,
>>>>> but no TLSv1.3 at all...
>>>>> 
>>>>> 
>>>>> Did someone have similar behaviors ?
>>>>> 
>>>>> Best,
>>>>> 
>>>>> Erik
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>> 
>>>> 
>> 
>> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 20987 bytes --]

Hi Michael,


On Do, 2019-02-14 at 11:31 +0000, Michael Tremer wrote:
> Hey,
> 
> I am getting this when I am connecting:
> 
> New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
> Server public key is 384 bit
> Secure Renegotiation IS supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> SSL-Session:
>     Protocol  : TLSv1.2
>     Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
> 
> I did not configure anything else than the defaults.
OK, this is a little strange too since one machine uses the 25519 curve
:-) .
Also i have had this conversation --> 
https://lists.ipfire.org/pipermail/development/2018-December/005059.html
in mind so i was searching for this.

But this is also a beneath one, the TLSv1.3 is in my main focus, will
need a little until the build is finished. It might neverthless help
very much if someone else can also went in some testings !

Best,

Erik


> 
> -Michael
> 
> > On 14 Feb 2019, at 11:28, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi Michael,
> > 
> > On Do, 2019-02-14 at 11:08 +0000, Michael Tremer wrote:
> > > Hi,
> > > 
> > > Just for the protocol. The Lightning Wire Labs resolver currently
> > > only supports TLS 1.2.
> > 
> > yes i know but the strange thing is -->
> > 
> > > 
> > > Just in case you were expecting TLS 1.3 from it.
> > 
> > No not TLS 1.3 but 'ECDHE-X25519' . Strangely on the origin/next
> > machine where no TLSv1.3 is used it offers also only 'ECDHE-ECDSA-
> > SECP256R1' have wrote you that already in the 'Kicking of DoT'
> > topic.
> > It seems somehow related to another. The other machine (old patch
> > <--
> > not sure if it has something to do with this) have no problems with
> > TLSv1.3 but uses also TLSv1.2 with 'ECDHE-X25519' for
> > Lightningwirelabs.
> > 
> > Smells a little fishy and am not sure if it is a fate of an
> > individual.
> > 
> > Best,
> > 
> > Erik
> > 
> > > 
> > > Best,
> > > -Michael
> > > 
> > > > On 14 Feb 2019, at 06:57, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > > 
> > > > Hi Michael,
> > > > 
> > > > On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote:
> > > > > Hi,
> > > > > 
> > > > > This is a bit weird.
> > > > 
> > > > Indeed.
> > > > 
> > > > > 
> > > > > Does the version of unbound support TLS 1.3? We had to update
> > > > > Apache
> > > > > to support TLS 1.3 and we had to just rebuild haproxy to
> > > > > support
> > > > > it,
> > > > > too. Since you are running a build of unbound that was built
> > > > > against
> > > > > OpenSSL 1.1.1 I would say the latter isn’t likely.
> > > > 
> > > > Yes unbound is linked agains OpenSSL-1.1.1a
> > > > 
> > > > Version 1.8.3
> > > > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
> > > > 1.1.1a  20 Nov 2018
> > > > linked modules: dns64 respip validator iterator
> > > > 
> > > > Have two machines here running which already includes the new
> > > > OpenSSL.
> > > > One machine uses the OpenSSL-1.1.1a from the first testing days
> > > > with
> > > > the old OpenSSL cipher patch and the other machine is on
> > > > current
> > > > origin/next state with the OpenSSL patch from Peter.
> > > > 
> > > > Have tried it today again and the old testing environment (old
> > > > patch)
> > > > seems to work now with TLSv1.3 even the last days it does
> > > > not...
> > > > 
> > > > Output from (let´s call it) the old machine (with the old
> > > > OpenSSL
> > > > patch) with testing results from Quad9 Cloudflare and
> > > > Lightningwirelabs:
> > > > 
> > > > ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > Francisco,O=Cloudflare\,
> > > > Inc.,CN=cloudflare-dns.com
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
> > > > SHA256)-
> > > > (AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912
> > > > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
> > > > ADDITIONAL:
> > > > 1
> > > > 
> > > > 
> > > > 
> > > > ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> > > > server(9.9.9.9), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1,
> > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
> > > > SHA256)-
> > > > (AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085
> > > > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
> > > > ADDITIONAL: 
> > > > 
> > > > 
> > > > 
> > > > ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
> > > > server(81.3.27.54), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
> > > > ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority
> > > > X3
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-
> > > > (CHACHA20-
> > > > POLY1305)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376
> > > > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
> > > > ADDITIONAL:
> > > > 1
> > > > 
> > > > 
> > > > 
> > > > ===============================================================
> > > > ====
> > > > ===
> > > > 
> > > > Tests with the new machine (new OpenSSL patch):
> > > > 
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > Francisco,O=Cloudflare\,
> > > > Inc.,CN=cloudflare-dns.com
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > > 
> > > > 
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(9.9.9.9), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1,
> > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > Server CA
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-
> > > > POLY1305)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > > 
> > > > 
> > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> > > > server(81.3.27.54), port(853), protocol(TCP)
> > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > '/etc/ssl/certs/ca-
> > > > bundle.crt'
> > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
> > > > ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority
> > > > X3
> > > > ;; DEBUG:      SHA-256 PIN:
> > > > YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-
> > > > POLY1305)
> > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685
> > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > ADDITIONAL: 1
> > > > 
> > > > 
> > > > 
> > > > Lightningwirelabs uses on the old machine also ECDHE-X25519 ,
> > > > the
> > > > new
> > > > one only ECDHE-ECDSA-SECP256R1 .
> > > > 
> > > > 
> > > > What it makes even more worse is that i´d compiled origin/next
> > > > a
> > > > couple
> > > > of days ago with the old OpenSSL patch to see if the problem
> > > > comes
> > > > from
> > > > there but with the same results (no TLSv1.3).
> > > > 
> > > > May the providers did disabled TLSv1.3 for a couple of days
> > > > since
> > > > at
> > > > that time my old machine have had the same TLSv1.2 results ???
> > > > 
> > > > Am currently not sure what happens here.
> > > > 
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> > > > 
> > > > 
> > > > 
> > > > > 
> > > > > -Michael
> > > > > 
> > > > > > On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org>
> > > > > > wrote:
> > > > > > 
> > > > > > Hi all,
> > > > > > did an fresh install from origin/next of Core 128 with the
> > > > > > new
> > > > > > OpenSSL-
> > > > > > 1.1.1a . Have checked also DNS-over-TLS which works well
> > > > > > but
> > > > > > kdig
> > > > > > points out that the TLS sessions operates only with TLSv1.2
> > > > > > instaed
> > > > > > of
> > > > > > the new delivered TLSv1.3 .
> > > > > > 
> > > > > > A test with Cloudflair (which uses TLSv1.3) looks like this
> > > > > > -->
> > > > > > 
> > > > > > kdig Test:
> > > > > > 
> > > > > > 
> > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
> > > > > > type(1),
> > > > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > > > '/etc/ssl/certs/ca-
> > > > > > bundle.crt'
> > > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > > > Francisco,O=Cloudflare\,
> > > > > > Inc.,CN=cloudflare-dns.com
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > > > Server CA
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-
> > > > > > GCM)
> > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> > > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > > > ADDITIONAL: 1
> > > > > > 
> > > > > > ;; EDNS PSEUDOSECTION:
> > > > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode:
> > > > > > NOERROR
> > > > > > ;; PADDING: 239 B
> > > > > > 
> > > > > > ;; QUESTION SECTION:
> > > > > > ;; www.isoc.org.       		IN	A
> > > > > > 
> > > > > > ;; ANSWER SECTION:
> > > > > > www.isoc.org.       	300	IN	A	46.43.36.22
> > > > > > 2
> > > > > > www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> > > > > > 20190224085001 20190210085001 45830 isoc.org.
> > > > > > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1U
> > > > > > K0Nx
> > > > > > OGCP
> > > > > > OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR
> > > > > > 7hPe
> > > > > > rUvt
> > > > > > l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> > > > > > 
> > > > > > ;; Received 468 B
> > > > > > ;; Time 2019-02-10 12:40:19 CET
> > > > > > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > And a test with s_client:
> > > > > > 
> > > > > > [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> > > > > > CONNECTED(00000003)
> > > > > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN
> > > > > > =
> > > > > > DigiCert Global Root CA
> > > > > > verify return:1
> > > > > > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > > Server
> > > > > > CA
> > > > > > verify return:1
> > > > > > depth=0 C = US, ST = California, L = San Francisco, O =
> > > > > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > > > > verify return:1
> > > > > > ---
> > > > > > Certificate chain
> > > > > > 0 s:C = US, ST = California, L = San Francisco, O =
> > > > > > "Cloudflare,
> > > > > > Inc.", CN = cloudflare-dns.com
> > > > > > i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
> > > > > > CA
> > > > > > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > > Server
> > > > > > CA
> > > > > > i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > > > DigiCert
> > > > > > Global Root CA
> > > > > > ---
> > > > > > Server certificate
> > > > > > -----BEGIN CERTIFICATE-----
> > > > > > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjB
> > > > > > MMQs
> > > > > > w
> > > > > > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1
> > > > > > EaWd
> > > > > > p
> > > > > > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0
> > > > > > yMTA
> > > > > > y
> > > > > > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybml
> > > > > > hMRY
> > > > > > w
> > > > > > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCB
> > > > > > JbmM
> > > > > > u
> > > > > > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBgg
> > > > > > qhkj
> > > > > > O
> > > > > > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash
> > > > > > 3uMu
> > > > > > P
> > > > > > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoA
> > > > > > Uo53
> > > > > > m
> > > > > > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58O
> > > > > > oRX+
> > > > > > g
> > > > > > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZ
> > > > > > sYXJ
> > > > > > l
> > > > > > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYc
> > > > > > QJgZ
> > > > > > H
> > > > > > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAA
> > > > > > AAAA
> > > > > > A
> > > > > > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAM
> > > > > > CB4A
> > > > > > w
> > > > > > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqA
> > > > > > soCq
> > > > > > G
> > > > > > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqA
> > > > > > soCq
> > > > > > G
> > > > > > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAY
> > > > > > DVR0
> > > > > > g
> > > > > > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3c
> > > > > > uZGl
> > > > > > n
> > > > > > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCs
> > > > > > GAQU
> > > > > > F
> > > > > > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh
> > > > > > 0dHA
> > > > > > 6
> > > > > > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZ
> > > > > > lckN
> > > > > > B
> > > > > > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWg
> > > > > > AdgC
> > > > > > k
> > > > > > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwB
> > > > > > HMEU
> > > > > > C
> > > > > > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGz
> > > > > > Hm2e
> > > > > > O
> > > > > > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9
> > > > > > KtWD
> > > > > > B
> > > > > > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o
> > > > > > 7xOs
> > > > > > /
> > > > > > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB
> > > > > > 3ALv
> > > > > > Z
> > > > > > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEg
> > > > > > wRgI
> > > > > > h
> > > > > > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kF
> > > > > > xvrk
> > > > > > 7
> > > > > > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2
> > > > > > HTMu
> > > > > > r
> > > > > > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf
> > > > > > 5jdz
> > > > > > 1
> > > > > > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> > > > > > -----END CERTIFICATE-----
> > > > > > subject=C = US, ST = California, L = San Francisco, O =
> > > > > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > > > > 
> > > > > > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > > Server CA
> > > > > > 
> > > > > > ---
> > > > > > No client certificate CA names sent
> > > > > > Peer signing digest: SHA256
> > > > > > Peer signature type: ECDSA
> > > > > > Server Temp Key: X25519, 253 bits
> > > > > > ---
> > > > > > SSL handshake has read 2787 bytes and written 421 bytes
> > > > > > Verification: OK
> > > > > > ---
> > > > > > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> > > > > > Server public key is 256 bit
> > > > > > Secure Renegotiation IS NOT supported
> > > > > > Compression: NONE
> > > > > > Expansion: NONE
> > > > > > No ALPN negotiated
> > > > > > Early data was not sent
> > > > > > Verify return code: 0 (ok)
> > > > > > ---
> > > > > > ---
> > > > > > Post-Handshake New Session Ticket arrived:
> > > > > > SSL-Session:
> > > > > >  Protocol  : TLSv1.3
> > > > > >  Cipher    : TLS_CHACHA20_POLY1305_SHA256
> > > > > >  Session-ID:
> > > > > > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B2099007
> > > > > > 35C0
> > > > > > 1
> > > > > >  Session-ID-ctx: 
> > > > > >  Resumption PSK:
> > > > > > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA
> > > > > > 480C
> > > > > > 7
> > > > > >  PSK identity: None
> > > > > >  PSK identity hint: None
> > > > > >  TLS session ticket lifetime hint: 21600 (seconds)
> > > > > >  TLS session ticket:
> > > > > >  0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> > > > > > 00   ................
> > > > > >  0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> > > > > > 6b   ...........}...k
> > > > > >  0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> > > > > > 23   ..1Uw..\.......#
> > > > > >  0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> > > > > > 3d   ....3]...u.hg.W=
> > > > > >  0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> > > > > > ff   .qk."......7bi..
> > > > > >  0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> > > > > > d9   Zx).........c...
> > > > > >  0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> > > > > > cb   ;.p8V.jC....].~.
> > > > > >  0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> > > > > > 06   .c..1qa.D.....C.
> > > > > >  0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> > > > > > 0e   .....>.2....F...
> > > > > >  0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> > > > > > 1b   ty.$.\....,.K...
> > > > > >  00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> > > > > > 07   }.=.jX.NA..)....
> > > > > >  00b0 - e1 92 dd 8d 44
> > > > > > 69                                 ....Di
> > > > > > 
> > > > > >  Start Time: 1549799117
> > > > > >  Timeout   : 7200 (sec)
> > > > > >  Verify return code: 0 (ok)
> > > > > >  Extended master secret: no
> > > > > >  Max Early Data: 0
> > > > > > ---
> > > > > > read R BLOCK
> > > > > > closed
> > > > > > 
> > > > > > 
> > > > > > Which seems strange to me since Cloudflair offers TLSv1.3
> > > > > > but
> > > > > > unbound initializes only TLSv1.2 .
> > > > > > 
> > > > > > Have check all working DoT servers from here --> 
> > > > > > 
https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> > > > > > too,
> > > > > > but no TLSv1.3 at all...
> > > > > > 
> > > > > > 
> > > > > > Did someone have similar behaviors ?
> > > > > > 
> > > > > > Best,
> > > > > > 
> > > > > > Erik
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > 
> > > > > 
> > > 
> > > 
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 20238 bytes --]

Hi,

Actually I tried this from an IPFire 3 system which has a quite old version of OpenSSL.

So maybe Ed25519 could not have been used because the client doesn’t support it.

-Michael

> On 14 Feb 2019, at 14:18, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi Michael,
> 
> 
> On Do, 2019-02-14 at 11:31 +0000, Michael Tremer wrote:
>> Hey,
>> 
>> I am getting this when I am connecting:
>> 
>> New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
>> Server public key is 384 bit
>> Secure Renegotiation IS supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> SSL-Session:
>>    Protocol  : TLSv1.2
>>    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
>> 
>> I did not configure anything else than the defaults.
> OK, this is a little strange too since one machine uses the 25519 curve
> :-) .
> Also i have had this conversation --> 
> https://lists.ipfire.org/pipermail/development/2018-December/005059.html
> in mind so i was searching for this.
> 
> But this is also a beneath one, the TLSv1.3 is in my main focus, will
> need a little until the build is finished. It might neverthless help
> very much if someone else can also went in some testings !
> 
> Best,
> 
> Erik
> 
> 
>> 
>> -Michael
>> 
>>> On 14 Feb 2019, at 11:28, ummeegge <ummeegge(a)ipfire.org> wrote:
>>> 
>>> Hi Michael,
>>> 
>>> On Do, 2019-02-14 at 11:08 +0000, Michael Tremer wrote:
>>>> Hi,
>>>> 
>>>> Just for the protocol. The Lightning Wire Labs resolver currently
>>>> only supports TLS 1.2.
>>> 
>>> yes i know but the strange thing is -->
>>> 
>>>> 
>>>> Just in case you were expecting TLS 1.3 from it.
>>> 
>>> No not TLS 1.3 but 'ECDHE-X25519' . Strangely on the origin/next
>>> machine where no TLSv1.3 is used it offers also only 'ECDHE-ECDSA-
>>> SECP256R1' have wrote you that already in the 'Kicking of DoT'
>>> topic.
>>> It seems somehow related to another. The other machine (old patch
>>> <--
>>> not sure if it has something to do with this) have no problems with
>>> TLSv1.3 but uses also TLSv1.2 with 'ECDHE-X25519' for
>>> Lightningwirelabs.
>>> 
>>> Smells a little fishy and am not sure if it is a fate of an
>>> individual.
>>> 
>>> Best,
>>> 
>>> Erik
>>> 
>>>> 
>>>> Best,
>>>> -Michael
>>>> 
>>>>> On 14 Feb 2019, at 06:57, ummeegge <ummeegge(a)ipfire.org> wrote:
>>>>> 
>>>>> Hi Michael,
>>>>> 
>>>>> On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote:
>>>>>> Hi,
>>>>>> 
>>>>>> This is a bit weird.
>>>>> 
>>>>> Indeed.
>>>>> 
>>>>>> 
>>>>>> Does the version of unbound support TLS 1.3? We had to update
>>>>>> Apache
>>>>>> to support TLS 1.3 and we had to just rebuild haproxy to
>>>>>> support
>>>>>> it,
>>>>>> too. Since you are running a build of unbound that was built
>>>>>> against
>>>>>> OpenSSL 1.1.1 I would say the latter isn’t likely.
>>>>> 
>>>>> Yes unbound is linked agains OpenSSL-1.1.1a
>>>>> 
>>>>> Version 1.8.3
>>>>> linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
>>>>> 1.1.1a  20 Nov 2018
>>>>> linked modules: dns64 respip validator iterator
>>>>> 
>>>>> Have two machines here running which already includes the new
>>>>> OpenSSL.
>>>>> One machine uses the OpenSSL-1.1.1a from the first testing days
>>>>> with
>>>>> the old OpenSSL cipher patch and the other machine is on
>>>>> current
>>>>> origin/next state with the OpenSSL patch from Peter.
>>>>> 
>>>>> Have tried it today again and the old testing environment (old
>>>>> patch)
>>>>> seems to work now with TLSv1.3 even the last days it does
>>>>> not...
>>>>> 
>>>>> Output from (let´s call it) the old machine (with the old
>>>>> OpenSSL
>>>>> patch) with testing results from Quad9 Cloudflare and
>>>>> Lightningwirelabs:
>>>>> 
>>>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
>>>>> server(1.1.1.1), port(853), protocol(TCP)
>>>>> ;; DEBUG: TLS, imported 128 certificates from
>>>>> '/etc/ssl/certs/ca-
>>>>> bundle.crt'
>>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>>> ;; DEBUG:  #1, C=US,ST=California,L=San
>>>>> Francisco,O=Cloudflare\,
>>>>> Inc.,CN=cloudflare-dns.com
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>>>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
>>>>> Server CA
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>>> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
>>>>> SHA256)-
>>>>> (AES-256-GCM)
>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912
>>>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
>>>>> ADDITIONAL:
>>>>> 1
>>>>> 
>>>>> 
>>>>> 
>>>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
>>>>> server(9.9.9.9), port(853), protocol(TCP)
>>>>> ;; DEBUG: TLS, imported 128 certificates from
>>>>> '/etc/ssl/certs/ca-
>>>>> bundle.crt'
>>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>>> ;; DEBUG:  #1,
>>>>> C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
>>>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
>>>>> Server CA
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>>> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
>>>>> SHA256)-
>>>>> (AES-256-GCM)
>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085
>>>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
>>>>> ADDITIONAL: 
>>>>> 
>>>>> 
>>>>> 
>>>>> ;; DEBUG: Querying for owner(google.com.), class(1), type(1),
>>>>> server(81.3.27.54), port(853), protocol(TCP)
>>>>> ;; DEBUG: TLS, imported 128 certificates from
>>>>> '/etc/ssl/certs/ca-
>>>>> bundle.crt'
>>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>>> ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
>>>>> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority
>>>>> X3
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
>>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>>> ;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-
>>>>> (CHACHA20-
>>>>> POLY1305)
>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376
>>>>> ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
>>>>> ADDITIONAL:
>>>>> 1
>>>>> 
>>>>> 
>>>>> 
>>>>> ===============================================================
>>>>> ====
>>>>> ===
>>>>> 
>>>>> Tests with the new machine (new OpenSSL patch):
>>>>> 
>>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>>>> server(1.1.1.1), port(853), protocol(TCP)
>>>>> ;; DEBUG: TLS, imported 135 certificates from
>>>>> '/etc/ssl/certs/ca-
>>>>> bundle.crt'
>>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>>> ;; DEBUG:  #1, C=US,ST=California,L=San
>>>>> Francisco,O=Cloudflare\,
>>>>> Inc.,CN=cloudflare-dns.com
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>>>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
>>>>> Server CA
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817
>>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>>>> ADDITIONAL: 1
>>>>> 
>>>>> 
>>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>>>> server(9.9.9.9), port(853), protocol(TCP)
>>>>> ;; DEBUG: TLS, imported 135 certificates from
>>>>> '/etc/ssl/certs/ca-
>>>>> bundle.crt'
>>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>>> ;; DEBUG:  #1,
>>>>> C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
>>>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
>>>>> Server CA
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-
>>>>> POLY1305)
>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679
>>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>>>> ADDITIONAL: 1
>>>>> 
>>>>> 
>>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>>>>> server(81.3.27.54), port(853), protocol(TCP)
>>>>> ;; DEBUG: TLS, imported 135 certificates from
>>>>> '/etc/ssl/certs/ca-
>>>>> bundle.crt'
>>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>>> ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
>>>>> ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt Authority
>>>>> X3
>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>> YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
>>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-
>>>>> POLY1305)
>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685
>>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>>>> ADDITIONAL: 1
>>>>> 
>>>>> 
>>>>> 
>>>>> Lightningwirelabs uses on the old machine also ECDHE-X25519 ,
>>>>> the
>>>>> new
>>>>> one only ECDHE-ECDSA-SECP256R1 .
>>>>> 
>>>>> 
>>>>> What it makes even more worse is that i´d compiled origin/next
>>>>> a
>>>>> couple
>>>>> of days ago with the old OpenSSL patch to see if the problem
>>>>> comes
>>>>> from
>>>>> there but with the same results (no TLSv1.3).
>>>>> 
>>>>> May the providers did disabled TLSv1.3 for a couple of days
>>>>> since
>>>>> at
>>>>> that time my old machine have had the same TLSv1.2 results ???
>>>>> 
>>>>> Am currently not sure what happens here.
>>>>> 
>>>>> 
>>>>> Best,
>>>>> 
>>>>> Erik
>>>>> 
>>>>> 
>>>>> 
>>>>>> 
>>>>>> -Michael
>>>>>> 
>>>>>>> On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org>
>>>>>>> wrote:
>>>>>>> 
>>>>>>> Hi all,
>>>>>>> did an fresh install from origin/next of Core 128 with the
>>>>>>> new
>>>>>>> OpenSSL-
>>>>>>> 1.1.1a . Have checked also DNS-over-TLS which works well
>>>>>>> but
>>>>>>> kdig
>>>>>>> points out that the TLS sessions operates only with TLSv1.2
>>>>>>> instaed
>>>>>>> of
>>>>>>> the new delivered TLSv1.3 .
>>>>>>> 
>>>>>>> A test with Cloudflair (which uses TLSv1.3) looks like this
>>>>>>> -->
>>>>>>> 
>>>>>>> kdig Test:
>>>>>>> 
>>>>>>> 
>>>>>>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
>>>>>>> type(1),
>>>>>>> server(1.1.1.1), port(853), protocol(TCP)
>>>>>>> ;; DEBUG: TLS, imported 135 certificates from
>>>>>>> '/etc/ssl/certs/ca-
>>>>>>> bundle.crt'
>>>>>>> ;; DEBUG: TLS, received certificate hierarchy:
>>>>>>> ;; DEBUG:  #1, C=US,ST=California,L=San
>>>>>>> Francisco,O=Cloudflare\,
>>>>>>> Inc.,CN=cloudflare-dns.com
>>>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>>>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>>>>>>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
>>>>>>> Server CA
>>>>>>> ;; DEBUG:      SHA-256 PIN:
>>>>>>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>>>>>>> ;; DEBUG: TLS, skipping certificate PIN check
>>>>>>> ;; DEBUG: TLS, The certificate is trusted. 
>>>>>>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-
>>>>>>> GCM)
>>>>>>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
>>>>>>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
>>>>>>> ADDITIONAL: 1
>>>>>>> 
>>>>>>> ;; EDNS PSEUDOSECTION:
>>>>>>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode:
>>>>>>> NOERROR
>>>>>>> ;; PADDING: 239 B
>>>>>>> 
>>>>>>> ;; QUESTION SECTION:
>>>>>>> ;; www.isoc.org.       		IN	A
>>>>>>> 
>>>>>>> ;; ANSWER SECTION:
>>>>>>> www.isoc.org.       	300	IN	A	46.43.36.22
>>>>>>> 2
>>>>>>> www.isoc.org.       	300	IN	RRSIG	A 7 3 300
>>>>>>> 20190224085001 20190210085001 45830 isoc.org.
>>>>>>> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1U
>>>>>>> K0Nx
>>>>>>> OGCP
>>>>>>> OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR
>>>>>>> 7hPe
>>>>>>> rUvt
>>>>>>> l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
>>>>>>> 
>>>>>>> ;; Received 468 B
>>>>>>> ;; Time 2019-02-10 12:40:19 CET
>>>>>>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> And a test with s_client:
>>>>>>> 
>>>>>>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
>>>>>>> CONNECTED(00000003)
>>>>>>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN
>>>>>>> =
>>>>>>> DigiCert Global Root CA
>>>>>>> verify return:1
>>>>>>> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
>>>>>>> Server
>>>>>>> CA
>>>>>>> verify return:1
>>>>>>> depth=0 C = US, ST = California, L = San Francisco, O =
>>>>>>> "Cloudflare, Inc.", CN = cloudflare-dns.com
>>>>>>> verify return:1
>>>>>>> ---
>>>>>>> Certificate chain
>>>>>>> 0 s:C = US, ST = California, L = San Francisco, O =
>>>>>>> "Cloudflare,
>>>>>>> Inc.", CN = cloudflare-dns.com
>>>>>>> i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server
>>>>>>> CA
>>>>>>> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
>>>>>>> Server
>>>>>>> CA
>>>>>>> i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
>>>>>>> DigiCert
>>>>>>> Global Root CA
>>>>>>> ---
>>>>>>> Server certificate
>>>>>>> -----BEGIN CERTIFICATE-----
>>>>>>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjB
>>>>>>> MMQs
>>>>>>> w
>>>>>>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1
>>>>>>> EaWd
>>>>>>> p
>>>>>>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0
>>>>>>> yMTA
>>>>>>> y
>>>>>>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybml
>>>>>>> hMRY
>>>>>>> w
>>>>>>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCB
>>>>>>> JbmM
>>>>>>> u
>>>>>>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBgg
>>>>>>> qhkj
>>>>>>> O
>>>>>>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash
>>>>>>> 3uMu
>>>>>>> P
>>>>>>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoA
>>>>>>> Uo53
>>>>>>> m
>>>>>>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58O
>>>>>>> oRX+
>>>>>>> g
>>>>>>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZ
>>>>>>> sYXJ
>>>>>>> l
>>>>>>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYc
>>>>>>> QJgZ
>>>>>>> H
>>>>>>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAA
>>>>>>> AAAA
>>>>>>> A
>>>>>>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAM
>>>>>>> CB4A
>>>>>>> w
>>>>>>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqA
>>>>>>> soCq
>>>>>>> G
>>>>>>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqA
>>>>>>> soCq
>>>>>>> G
>>>>>>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAY
>>>>>>> DVR0
>>>>>>> g
>>>>>>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3c
>>>>>>> uZGl
>>>>>>> n
>>>>>>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCs
>>>>>>> GAQU
>>>>>>> F
>>>>>>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh
>>>>>>> 0dHA
>>>>>>> 6
>>>>>>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZ
>>>>>>> lckN
>>>>>>> B
>>>>>>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWg
>>>>>>> AdgC
>>>>>>> k
>>>>>>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwB
>>>>>>> HMEU
>>>>>>> C
>>>>>>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGz
>>>>>>> Hm2e
>>>>>>> O
>>>>>>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9
>>>>>>> KtWD
>>>>>>> B
>>>>>>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o
>>>>>>> 7xOs
>>>>>>> /
>>>>>>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB
>>>>>>> 3ALv
>>>>>>> Z
>>>>>>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEg
>>>>>>> wRgI
>>>>>>> h
>>>>>>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kF
>>>>>>> xvrk
>>>>>>> 7
>>>>>>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2
>>>>>>> HTMu
>>>>>>> r
>>>>>>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf
>>>>>>> 5jdz
>>>>>>> 1
>>>>>>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
>>>>>>> -----END CERTIFICATE-----
>>>>>>> subject=C = US, ST = California, L = San Francisco, O =
>>>>>>> "Cloudflare, Inc.", CN = cloudflare-dns.com
>>>>>>> 
>>>>>>> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
>>>>>>> Server CA
>>>>>>> 
>>>>>>> ---
>>>>>>> No client certificate CA names sent
>>>>>>> Peer signing digest: SHA256
>>>>>>> Peer signature type: ECDSA
>>>>>>> Server Temp Key: X25519, 253 bits
>>>>>>> ---
>>>>>>> SSL handshake has read 2787 bytes and written 421 bytes
>>>>>>> Verification: OK
>>>>>>> ---
>>>>>>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
>>>>>>> Server public key is 256 bit
>>>>>>> Secure Renegotiation IS NOT supported
>>>>>>> Compression: NONE
>>>>>>> Expansion: NONE
>>>>>>> No ALPN negotiated
>>>>>>> Early data was not sent
>>>>>>> Verify return code: 0 (ok)
>>>>>>> ---
>>>>>>> ---
>>>>>>> Post-Handshake New Session Ticket arrived:
>>>>>>> SSL-Session:
>>>>>>> Protocol  : TLSv1.3
>>>>>>> Cipher    : TLS_CHACHA20_POLY1305_SHA256
>>>>>>> Session-ID:
>>>>>>> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B2099007
>>>>>>> 35C0
>>>>>>> 1
>>>>>>> Session-ID-ctx: 
>>>>>>> Resumption PSK:
>>>>>>> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA
>>>>>>> 480C
>>>>>>> 7
>>>>>>> PSK identity: None
>>>>>>> PSK identity hint: None
>>>>>>> TLS session ticket lifetime hint: 21600 (seconds)
>>>>>>> TLS session ticket:
>>>>>>> 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
>>>>>>> 00   ................
>>>>>>> 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
>>>>>>> 6b   ...........}...k
>>>>>>> 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
>>>>>>> 23   ..1Uw..\.......#
>>>>>>> 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
>>>>>>> 3d   ....3]...u.hg.W=
>>>>>>> 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
>>>>>>> ff   .qk."......7bi..
>>>>>>> 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
>>>>>>> d9   Zx).........c...
>>>>>>> 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
>>>>>>> cb   ;.p8V.jC....].~.
>>>>>>> 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
>>>>>>> 06   .c..1qa.D.....C.
>>>>>>> 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
>>>>>>> 0e   .....>.2....F...
>>>>>>> 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
>>>>>>> 1b   ty.$.\....,.K...
>>>>>>> 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
>>>>>>> 07   }.=.jX.NA..)....
>>>>>>> 00b0 - e1 92 dd 8d 44
>>>>>>> 69                                 ....Di
>>>>>>> 
>>>>>>> Start Time: 1549799117
>>>>>>> Timeout   : 7200 (sec)
>>>>>>> Verify return code: 0 (ok)
>>>>>>> Extended master secret: no
>>>>>>> Max Early Data: 0
>>>>>>> ---
>>>>>>> read R BLOCK
>>>>>>> closed
>>>>>>> 
>>>>>>> 
>>>>>>> Which seems strange to me since Cloudflair offers TLSv1.3
>>>>>>> but
>>>>>>> unbound initializes only TLSv1.2 .
>>>>>>> 
>>>>>>> Have check all working DoT servers from here --> 
>>>>>>> 
> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
>>>>>>> too,
>>>>>>> but no TLSv1.3 at all...
>>>>>>> 
>>>>>>> 
>>>>>>> Did someone have similar behaviors ?
>>>>>>> 
>>>>>>> Best,
>>>>>>> 
>>>>>>> Erik
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>> 
>>>> 
>> 
>> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 25066 bytes --]

Hi,

On Do, 2019-02-14 at 15:01 +0000, Michael Tremer wrote:
> Hi,
> 
> Actually I tried this from an IPFire 3 system which has a quite old
> version of OpenSSL.
> 
> So maybe Ed25519 could not have been used because the client doesn’t
> support it.
thanks for check this too :-) . Both systems are using the same
OpenSSL-1.1.1a only the cipher patches differs there.

But again thanks for looking over this.

Best,

Erik

> 
> -Michael
> 
> > On 14 Feb 2019, at 14:18, ummeegge <ummeegge(a)ipfire.org> wrote:
> > 
> > Hi Michael,
> > 
> > 
> > On Do, 2019-02-14 at 11:31 +0000, Michael Tremer wrote:
> > > Hey,
> > > 
> > > I am getting this when I am connecting:
> > > 
> > > New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-GCM-SHA384
> > > Server public key is 384 bit
> > > Secure Renegotiation IS supported
> > > Compression: NONE
> > > Expansion: NONE
> > > No ALPN negotiated
> > > SSL-Session:
> > >    Protocol  : TLSv1.2
> > >    Cipher    : ECDHE-ECDSA-AES256-GCM-SHA384
> > > 
> > > I did not configure anything else than the defaults.
> > 
> > OK, this is a little strange too since one machine uses the 25519
> > curve
> > :-) .
> > Also i have had this conversation --> 
> > 
https://lists.ipfire.org/pipermail/development/2018-December/005059.html
> > in mind so i was searching for this.
> > 
> > But this is also a beneath one, the TLSv1.3 is in my main focus,
> > will
> > need a little until the build is finished. It might neverthless
> > help
> > very much if someone else can also went in some testings !
> > 
> > Best,
> > 
> > Erik
> > 
> > 
> > > 
> > > -Michael
> > > 
> > > > On 14 Feb 2019, at 11:28, ummeegge <ummeegge(a)ipfire.org> wrote:
> > > > 
> > > > Hi Michael,
> > > > 
> > > > On Do, 2019-02-14 at 11:08 +0000, Michael Tremer wrote:
> > > > > Hi,
> > > > > 
> > > > > Just for the protocol. The Lightning Wire Labs resolver
> > > > > currently
> > > > > only supports TLS 1.2.
> > > > 
> > > > yes i know but the strange thing is -->
> > > > 
> > > > > 
> > > > > Just in case you were expecting TLS 1.3 from it.
> > > > 
> > > > No not TLS 1.3 but 'ECDHE-X25519' . Strangely on the
> > > > origin/next
> > > > machine where no TLSv1.3 is used it offers also only 'ECDHE-
> > > > ECDSA-
> > > > SECP256R1' have wrote you that already in the 'Kicking of DoT'
> > > > topic.
> > > > It seems somehow related to another. The other machine (old
> > > > patch
> > > > <--
> > > > not sure if it has something to do with this) have no problems
> > > > with
> > > > TLSv1.3 but uses also TLSv1.2 with 'ECDHE-X25519' for
> > > > Lightningwirelabs.
> > > > 
> > > > Smells a little fishy and am not sure if it is a fate of an
> > > > individual.
> > > > 
> > > > Best,
> > > > 
> > > > Erik
> > > > 
> > > > > 
> > > > > Best,
> > > > > -Michael
> > > > > 
> > > > > > On 14 Feb 2019, at 06:57, ummeegge <ummeegge(a)ipfire.org>
> > > > > > wrote:
> > > > > > 
> > > > > > Hi Michael,
> > > > > > 
> > > > > > On Mi, 2019-02-13 at 18:05 +0000, Michael Tremer wrote:
> > > > > > > Hi,
> > > > > > > 
> > > > > > > This is a bit weird.
> > > > > > 
> > > > > > Indeed.
> > > > > > 
> > > > > > > 
> > > > > > > Does the version of unbound support TLS 1.3? We had to
> > > > > > > update
> > > > > > > Apache
> > > > > > > to support TLS 1.3 and we had to just rebuild haproxy to
> > > > > > > support
> > > > > > > it,
> > > > > > > too. Since you are running a build of unbound that was
> > > > > > > built
> > > > > > > against
> > > > > > > OpenSSL 1.1.1 I would say the latter isn’t likely.
> > > > > > 
> > > > > > Yes unbound is linked agains OpenSSL-1.1.1a
> > > > > > 
> > > > > > Version 1.8.3
> > > > > > linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL
> > > > > > 1.1.1a  20 Nov 2018
> > > > > > linked modules: dns64 respip validator iterator
> > > > > > 
> > > > > > Have two machines here running which already includes the
> > > > > > new
> > > > > > OpenSSL.
> > > > > > One machine uses the OpenSSL-1.1.1a from the first testing
> > > > > > days
> > > > > > with
> > > > > > the old OpenSSL cipher patch and the other machine is on
> > > > > > current
> > > > > > origin/next state with the OpenSSL patch from Peter.
> > > > > > 
> > > > > > Have tried it today again and the old testing environment
> > > > > > (old
> > > > > > patch)
> > > > > > seems to work now with TLSv1.3 even the last days it does
> > > > > > not...
> > > > > > 
> > > > > > Output from (let´s call it) the old machine (with the old
> > > > > > OpenSSL
> > > > > > patch) with testing results from Quad9 Cloudflare and
> > > > > > Lightningwirelabs:
> > > > > > 
> > > > > > ;; DEBUG: Querying for owner(google.com.), class(1),
> > > > > > type(1),
> > > > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > > > '/etc/ssl/certs/ca-
> > > > > > bundle.crt'
> > > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > > > Francisco,O=Cloudflare\,
> > > > > > Inc.,CN=cloudflare-dns.com
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > > > Server CA
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
> > > > > > SHA256)-
> > > > > > (AES-256-GCM)
> > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 53912
> > > > > > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
> > > > > > ADDITIONAL:
> > > > > > 1
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > ;; DEBUG: Querying for owner(google.com.), class(1),
> > > > > > type(1),
> > > > > > server(9.9.9.9), port(853), protocol(TCP)
> > > > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > > > '/etc/ssl/certs/ca-
> > > > > > bundle.crt'
> > > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > > ;; DEBUG:  #1,
> > > > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > > > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > > > Server CA
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > > ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-
> > > > > > SHA256)-
> > > > > > (AES-256-GCM)
> > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 7085
> > > > > > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
> > > > > > ADDITIONAL: 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > ;; DEBUG: Querying for owner(google.com.), class(1),
> > > > > > type(1),
> > > > > > server(81.3.27.54), port(853), protocol(TCP)
> > > > > > ;; DEBUG: TLS, imported 128 certificates from
> > > > > > '/etc/ssl/certs/ca-
> > > > > > bundle.crt'
> > > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > > ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
> > > > > > ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt
> > > > > > Authority
> > > > > > X3
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> > > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > > ;; TLS session (TLS1.2)-(ECDHE-X25519)-(ECDSA-SHA512)-
> > > > > > (CHACHA20-
> > > > > > POLY1305)
> > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 33376
> > > > > > ;; Flags: qr rd ra; QUERY: 1; ANSWER: 1; AUTHORITY: 0;
> > > > > > ADDITIONAL:
> > > > > > 1
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > ===========================================================
> > > > > > ====
> > > > > > ====
> > > > > > ===
> > > > > > 
> > > > > > Tests with the new machine (new OpenSSL patch):
> > > > > > 
> > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
> > > > > > type(1),
> > > > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > > > '/etc/ssl/certs/ca-
> > > > > > bundle.crt'
> > > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > > > Francisco,O=Cloudflare\,
> > > > > > Inc.,CN=cloudflare-dns.com
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > > > Server CA
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-
> > > > > > GCM)
> > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 11817
> > > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > > > ADDITIONAL: 1
> > > > > > 
> > > > > > 
> > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
> > > > > > type(1),
> > > > > > server(9.9.9.9), port(853), protocol(TCP)
> > > > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > > > '/etc/ssl/certs/ca-
> > > > > > bundle.crt'
> > > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > > ;; DEBUG:  #1,
> > > > > > C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> > > > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure
> > > > > > Server CA
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-
> > > > > > POLY1305)
> > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 4679
> > > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > > > ADDITIONAL: 1
> > > > > > 
> > > > > > 
> > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
> > > > > > type(1),
> > > > > > server(81.3.27.54), port(853), protocol(TCP)
> > > > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > > > '/etc/ssl/certs/ca-
> > > > > > bundle.crt'
> > > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > > ;; DEBUG:  #1, CN=rec1.dns.lightningwirelabs.com
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > V3z1Ap2nDKAr7Htam2jLeVejkva3BA+vFJBEJpEemrc=
> > > > > > ;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=Let's Encrypt
> > > > > > Authority
> > > > > > X3
> > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
> > > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-
> > > > > > POLY1305)
> > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5685
> > > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0;
> > > > > > ADDITIONAL: 1
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > Lightningwirelabs uses on the old machine also ECDHE-X25519 
> > > > > > ,
> > > > > > the
> > > > > > new
> > > > > > one only ECDHE-ECDSA-SECP256R1 .
> > > > > > 
> > > > > > 
> > > > > > What it makes even more worse is that i´d compiled
> > > > > > origin/next
> > > > > > a
> > > > > > couple
> > > > > > of days ago with the old OpenSSL patch to see if the
> > > > > > problem
> > > > > > comes
> > > > > > from
> > > > > > there but with the same results (no TLSv1.3).
> > > > > > 
> > > > > > May the providers did disabled TLSv1.3 for a couple of days
> > > > > > since
> > > > > > at
> > > > > > that time my old machine have had the same TLSv1.2 results
> > > > > > ???
> > > > > > 
> > > > > > Am currently not sure what happens here.
> > > > > > 
> > > > > > 
> > > > > > Best,
> > > > > > 
> > > > > > Erik
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > > 
> > > > > > > -Michael
> > > > > > > 
> > > > > > > > On 10 Feb 2019, at 14:15, ummeegge <ummeegge(a)ipfire.org
> > > > > > > > >
> > > > > > > > wrote:
> > > > > > > > 
> > > > > > > > Hi all,
> > > > > > > > did an fresh install from origin/next of Core 128 with
> > > > > > > > the
> > > > > > > > new
> > > > > > > > OpenSSL-
> > > > > > > > 1.1.1a . Have checked also DNS-over-TLS which works
> > > > > > > > well
> > > > > > > > but
> > > > > > > > kdig
> > > > > > > > points out that the TLS sessions operates only with
> > > > > > > > TLSv1.2
> > > > > > > > instaed
> > > > > > > > of
> > > > > > > > the new delivered TLSv1.3 .
> > > > > > > > 
> > > > > > > > A test with Cloudflair (which uses TLSv1.3) looks like
> > > > > > > > this
> > > > > > > > -->
> > > > > > > > 
> > > > > > > > kdig Test:
> > > > > > > > 
> > > > > > > > 
> > > > > > > > ;; DEBUG: Querying for owner(www.isoc.org.), class(1),
> > > > > > > > type(1),
> > > > > > > > server(1.1.1.1), port(853), protocol(TCP)
> > > > > > > > ;; DEBUG: TLS, imported 135 certificates from
> > > > > > > > '/etc/ssl/certs/ca-
> > > > > > > > bundle.crt'
> > > > > > > > ;; DEBUG: TLS, received certificate hierarchy:
> > > > > > > > ;; DEBUG:  #1, C=US,ST=California,L=San
> > > > > > > > Francisco,O=Cloudflare\,
> > > > > > > > Inc.,CN=cloudflare-dns.com
> > > > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > > > V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> > > > > > > > ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC
> > > > > > > > Secure
> > > > > > > > Server CA
> > > > > > > > ;; DEBUG:      SHA-256 PIN:
> > > > > > > > PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> > > > > > > > ;; DEBUG: TLS, skipping certificate PIN check
> > > > > > > > ;; DEBUG: TLS, The certificate is trusted. 
> > > > > > > > ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-
> > > > > > > > 256-
> > > > > > > > GCM)
> > > > > > > > ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id:
> > > > > > > > 51175
> > > > > > > > ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY:
> > > > > > > > 0;
> > > > > > > > ADDITIONAL: 1
> > > > > > > > 
> > > > > > > > ;; EDNS PSEUDOSECTION:
> > > > > > > > ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode:
> > > > > > > > NOERROR
> > > > > > > > ;; PADDING: 239 B
> > > > > > > > 
> > > > > > > > ;; QUESTION SECTION:
> > > > > > > > ;; www.isoc.org.       		IN	A
> > > > > > > > 
> > > > > > > > ;; ANSWER SECTION:
> > > > > > > > www.isoc.org.       	300	IN	A	46.43.3
> > > > > > > > 6.22
> > > > > > > > 2
> > > > > > > > www.isoc.org.       	300	IN	RRSIG	A 7 3
> > > > > > > > 300
> > > > > > > > 20190224085001 20190210085001 45830 isoc.org.
> > > > > > > > g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJ
> > > > > > > > TL1U
> > > > > > > > K0Nx
> > > > > > > > OGCP
> > > > > > > > OZSVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ
> > > > > > > > 2yoR
> > > > > > > > 7hPe
> > > > > > > > rUvt
> > > > > > > > l0sHJnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> > > > > > > > 
> > > > > > > > ;; Received 468 B
> > > > > > > > ;; Time 2019-02-10 12:40:19 CET
> > > > > > > > ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> > > > > > > > 
> > > > > > > > 
> > > > > > > > 
> > > > > > > > And a test with s_client:
> > > > > > > > 
> > > > > > > > [root(a)ipfire tmp]# openssl s_client -connect
> > > > > > > > 1.1.1.1:853
> > > > > > > > CONNECTED(00000003)
> > > > > > > > depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com
> > > > > > > > , CN
> > > > > > > > =
> > > > > > > > DigiCert Global Root CA
> > > > > > > > verify return:1
> > > > > > > > depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC
> > > > > > > > Secure
> > > > > > > > Server
> > > > > > > > CA
> > > > > > > > verify return:1
> > > > > > > > depth=0 C = US, ST = California, L = San Francisco, O =
> > > > > > > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > > > > > > verify return:1
> > > > > > > > ---
> > > > > > > > Certificate chain
> > > > > > > > 0 s:C = US, ST = California, L = San Francisco, O =
> > > > > > > > "Cloudflare,
> > > > > > > > Inc.", CN = cloudflare-dns.com
> > > > > > > > i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > > > > Server
> > > > > > > > CA
> > > > > > > > 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure
> > > > > > > > Server
> > > > > > > > CA
> > > > > > > > i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> > > > > > > > DigiCert
> > > > > > > > Global Root CA
> > > > > > > > ---
> > > > > > > > Server certificate
> > > > > > > > -----BEGIN CERTIFICATE-----
> > > > > > > > MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQ
> > > > > > > > DAjB
> > > > > > > > MMQs
> > > > > > > > w
> > > > > > > > CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQ
> > > > > > > > DEx1
> > > > > > > > EaWd
> > > > > > > > p
> > > > > > > > Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDB
> > > > > > > > aFw0
> > > > > > > > yMTA
> > > > > > > > y
> > > > > > > > MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9
> > > > > > > > ybml
> > > > > > > > hMRY
> > > > > > > > w
> > > > > > > > FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJ
> > > > > > > > lLCB
> > > > > > > > JbmM
> > > > > > > > u
> > > > > > > > MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQI
> > > > > > > > BBgg
> > > > > > > > qhkj
> > > > > > > > O
> > > > > > > > PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw
> > > > > > > > 9ash
> > > > > > > > 3uMu
> > > > > > > > P
> > > > > > > > LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBg
> > > > > > > > wFoA
> > > > > > > > Uo53
> > > > > > > > m
> > > > > > > > H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMa
> > > > > > > > r58O
> > > > > > > > oRX+
> > > > > > > > g
> > > > > > > > MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG9
> > > > > > > > 1ZGZ
> > > > > > > > sYXJ
> > > > > > > > l
> > > > > > > > LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+
> > > > > > > > ENYc
> > > > > > > > QJgZ
> > > > > > > > H
> > > > > > > > AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAA
> > > > > > > > AAAA
> > > > > > > > AAAA
> > > > > > > > A
> > > > > > > > ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8
> > > > > > > > EBAM
> > > > > > > > CB4A
> > > > > > > > w
> > > > > > > > HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGA
> > > > > > > > wLqA
> > > > > > > > soCq
> > > > > > > > G
> > > > > > > > KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmw
> > > > > > > > wLqA
> > > > > > > > soCq
> > > > > > > > G
> > > > > > > > KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmw
> > > > > > > > wTAY
> > > > > > > > DVR0
> > > > > > > > g
> > > > > > > > BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly9
> > > > > > > > 3d3c
> > > > > > > > uZGl
> > > > > > > > n
> > > > > > > > aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQ
> > > > > > > > GCCs
> > > > > > > > GAQU
> > > > > > > > F
> > > > > > > > BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAK
> > > > > > > > GOWh
> > > > > > > > 0dHA
> > > > > > > > 6
> > > > > > > > Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVN
> > > > > > > > lcnZ
> > > > > > > > lckN
> > > > > > > > B
> > > > > > > > LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggF
> > > > > > > > qAWg
> > > > > > > > AdgC
> > > > > > > > k
> > > > > > > > uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAA
> > > > > > > > EAwB
> > > > > > > > HMEU
> > > > > > > > C
> > > > > > > > IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFS
> > > > > > > > jiGz
> > > > > > > > Hm2e
> > > > > > > > O
> > > > > > > > jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUd
> > > > > > > > WNv9
> > > > > > > > KtWD
> > > > > > > > B
> > > > > > > > tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5B
> > > > > > > > lf/o
> > > > > > > > 7xOs
> > > > > > > > /
> > > > > > > > Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkP
> > > > > > > > RvAB
> > > > > > > > 3ALv
> > > > > > > > Z
> > > > > > > > 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQ
> > > > > > > > DAEg
> > > > > > > > wRgI
> > > > > > > > h
> > > > > > > > AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0
> > > > > > > > /5kF
> > > > > > > > xvrk
> > > > > > > > 7
> > > > > > > > AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez7
> > > > > > > > 6hX2
> > > > > > > > HTMu
> > > > > > > > r
> > > > > > > > /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjE
> > > > > > > > AzUf
> > > > > > > > 5jdz
> > > > > > > > 1
> > > > > > > > pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7ti
> > > > > > > > Z
> > > > > > > > -----END CERTIFICATE-----
> > > > > > > > subject=C = US, ST = California, L = San Francisco, O =
> > > > > > > > "Cloudflare, Inc.", CN = cloudflare-dns.com
> > > > > > > > 
> > > > > > > > issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC
> > > > > > > > Secure
> > > > > > > > Server CA
> > > > > > > > 
> > > > > > > > ---
> > > > > > > > No client certificate CA names sent
> > > > > > > > Peer signing digest: SHA256
> > > > > > > > Peer signature type: ECDSA
> > > > > > > > Server Temp Key: X25519, 253 bits
> > > > > > > > ---
> > > > > > > > SSL handshake has read 2787 bytes and written 421 bytes
> > > > > > > > Verification: OK
> > > > > > > > ---
> > > > > > > > New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> > > > > > > > Server public key is 256 bit
> > > > > > > > Secure Renegotiation IS NOT supported
> > > > > > > > Compression: NONE
> > > > > > > > Expansion: NONE
> > > > > > > > No ALPN negotiated
> > > > > > > > Early data was not sent
> > > > > > > > Verify return code: 0 (ok)
> > > > > > > > ---
> > > > > > > > ---
> > > > > > > > Post-Handshake New Session Ticket arrived:
> > > > > > > > SSL-Session:
> > > > > > > > Protocol  : TLSv1.3
> > > > > > > > Cipher    : TLS_CHACHA20_POLY1305_SHA256
> > > > > > > > Session-ID:
> > > > > > > > FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209
> > > > > > > > 9007
> > > > > > > > 35C0
> > > > > > > > 1
> > > > > > > > Session-ID-ctx: 
> > > > > > > > Resumption PSK:
> > > > > > > > 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E
> > > > > > > > 1AAA
> > > > > > > > 480C
> > > > > > > > 7
> > > > > > > > PSK identity: None
> > > > > > > > PSK identity hint: None
> > > > > > > > TLS session ticket lifetime hint: 21600 (seconds)
> > > > > > > > TLS session ticket:
> > > > > > > > 0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> > > > > > > > 00   ................
> > > > > > > > 0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> > > > > > > > 6b   ...........}...k
> > > > > > > > 0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> > > > > > > > 23   ..1Uw..\.......#
> > > > > > > > 0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> > > > > > > > 3d   ....3]...u.hg.W=
> > > > > > > > 0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> > > > > > > > ff   .qk."......7bi..
> > > > > > > > 0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> > > > > > > > d9   Zx).........c...
> > > > > > > > 0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> > > > > > > > cb   ;.p8V.jC....].~.
> > > > > > > > 0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> > > > > > > > 06   .c..1qa.D.....C.
> > > > > > > > 0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> > > > > > > > 0e   .....>.2....F...
> > > > > > > > 0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> > > > > > > > 1b   ty.$.\....,.K...
> > > > > > > > 00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> > > > > > > > 07   }.=.jX.NA..)....
> > > > > > > > 00b0 - e1 92 dd 8d 44
> > > > > > > > 69                                 ....Di
> > > > > > > > 
> > > > > > > > Start Time: 1549799117
> > > > > > > > Timeout   : 7200 (sec)
> > > > > > > > Verify return code: 0 (ok)
> > > > > > > > Extended master secret: no
> > > > > > > > Max Early Data: 0
> > > > > > > > ---
> > > > > > > > read R BLOCK
> > > > > > > > closed
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Which seems strange to me since Cloudflair offers
> > > > > > > > TLSv1.3
> > > > > > > > but
> > > > > > > > unbound initializes only TLSv1.2 .
> > > > > > > > 
> > > > > > > > Have check all working DoT servers from here --> 
> > > > > > > > 
> > 
> > https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers
> > > > > > > > too,
> > > > > > > > but no TLSv1.3 at all...
> > > > > > > > 
> > > > > > > > 
> > > > > > > > Did someone have similar behaviors ?
> > > > > > > > 
> > > > > > > > Best,
> > > > > > > > 
> > > > > > > > Erik
> > > > > > > > 
> > > > > > > > 
> > > > > > > > 
> > > > > > > > 
> > > > > > > 
> > > > > > > 
> > > > > 
> > > > > 
> > > 
> > > 
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 7654 bytes --]

Hi all,
did now a fresh install with the old OpenSSL patch. Sadly with the same
results as before TLSv1.3 does not appears with a fresh install from
origin/next.


Currently no plan what´s happened here !

Best,

Erik



On So, 2019-02-10 at 15:15 +0100, ummeegge wrote:
> Hi all,
> did an fresh install from origin/next of Core 128 with the new
> OpenSSL-
> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
> points out that the TLS sessions operates only with TLSv1.2 instaed
> of
> the new delivered TLSv1.3 .
> 
> A test with Cloudflair (which uses TLSv1.3) looks like this -->
> 
> kdig Test:
> 
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> server(1.1.1.1), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
> bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
> Inc.,CN=cloudflare-dns.com
> ;; DEBUG:      SHA-256 PIN:
> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN:
> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL:
> 1
> 
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> ;; PADDING: 239 B
> 
> ;; QUESTION SECTION:
> ;; www.isoc.org.       		IN	A
> 
> ;; ANSWER SECTION:
> www.isoc.org.       	300	IN	A	46.43.36.222
> www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> 20190224085001 20190210085001 45830 isoc.org.
> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZ
> SVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sH
> JnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> 
> ;; Received 468 B
> ;; Time 2019-02-10 12:40:19 CET
> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> 
> 
> 
> And a test with s_client:
> 
> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> DigiCert Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> verify return:1
> depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare,
> Inc.", CN = cloudflare-dns.com
> verify return:1
> ---
> Certificate chain
>  0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare,
> Inc.", CN = cloudflare-dns.com
>    i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>  1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>    i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> -----END CERTIFICATE-----
> subject=C = US, ST = California, L = San Francisco, O = "Cloudflare,
> Inc.", CN = cloudflare-dns.com
> 
> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> 
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: ECDSA
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2787 bytes and written 421 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> Server public key is 256 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
>     Protocol  : TLSv1.3
>     Cipher    : TLS_CHACHA20_POLY1305_SHA256
>     Session-ID:
> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
>     Session-ID-ctx: 
>     Resumption PSK:
> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
>     PSK identity: None
>     PSK identity hint: None
>     TLS session ticket lifetime hint: 21600 (seconds)
>     TLS session ticket:
>     0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> 00   ................
>     0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> 6b   ...........}...k
>     0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> 23   ..1Uw..\.......#
>     0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> 3d   ....3]...u.hg.W=
>     0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> ff   .qk."......7bi..
>     0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> d9   Zx).........c...
>     0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> cb   ;.p8V.jC....].~.
>     0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> 06   .c..1qa.D.....C.
>     0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> 0e   .....>.2....F...
>     0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> 1b   ty.$.\....,.K...
>     00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> 07   }.=.jX.NA..)....
>     00b0 - e1 92 dd 8d 44 69                                 ....Di
> 
>     Start Time: 1549799117
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
>     Max Early Data: 0
> ---
> read R BLOCK
> closed
> 
> 
> Which seems strange to me since Cloudflair offers TLSv1.3 but unbound
> initializes only TLSv1.2 .
> 
> Have check all working DoT servers from here --> 
> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too,
> but no TLSv1.3 at all...
> 
> 
> Did someone have similar behaviors ?
> 
> Best,
> 
> Erik
> 
> 
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[ummeegge]

[-- Attachment #1: Type: text/plain, Size: 14661 bytes --]

Hi all,
really was hoping that things are changing with the testings of Core
128 and was then happy to see that OpenSSL-1.1.1b addresses a potential
problem/solution  --> 
https://www.openssl.org/news/changelog.html#x1
but it doesn´t...
Have currently Core 129 with unbound -1.9.0 and OpenSSL-1.1.1b
installed -->

Version 1.9.0
linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1b  26 Feb 2019
linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs(a)nlnetlabs.nl

but (only?) unbound uses no TLSv1.3 (curl and Apache does), tested with Quad9 and Cloudflare -->


;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(9.9.9.9), port(853), protocol(TCP)
;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
;; DEBUG:      SHA-256 PIN: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10011
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; www.isoc.org.       		IN	A

;; ANSWER SECTION:
www.isoc.org.       	300	IN	A	46.43.36.222
www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190319085001 20190305085001 54512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=

;; Received 225 B
;; Time 2019-03-05 18:09:18 CET
;; From 9.9.9.9(a)853(TCP) in 142.4 ms

Exit status: 0

========================================================================================================================

;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24241
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 239 B

;; QUESTION SECTION:
;; www.isoc.org.       		IN	A

;; ANSWER SECTION:
www.isoc.org.       	300	IN	A	46.43.36.222
www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190319085001 20190305085001 54512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=

;; Received 468 B
;; Time 2019-03-05 18:09:24 CET
;; From 1.1.1.1(a)853(TCP) in 19.3 ms

Exit status: 0


whereby my "old" machine with unbound -->
Version 1.8.1
linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1a  20 Nov 2018
linked modules: dns64 respip validator iterator
BSD licensed, see LICENSE in source package for details.
Report bugs to unbound-bugs(a)nlnetlabs.nl

uses it -->



;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5997
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
;; PADDING: 239 B

;; QUESTION SECTION:
;; www.isoc.org.       		IN	A

;; ANSWER SECTION:
www.isoc.org.       	158	IN	A	46.43.36.222
www.isoc.org.       	158	IN	RRSIG	A 7 3 300 20190319085001 20190305085001 54512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=

;; Received 468 B
;; Time 2019-03-05 18:11:44 CET
;; From 1.1.1.1(a)853(TCP) in 47.5 ms

Exit status: 0

=======================================================================


;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
server(9.9.9.9), port(853), protocol(TCP)
;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
;; DEBUG:      SHA-256 PIN:
/SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
;; DEBUG:      SHA-256 PIN:
PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-
(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13744
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1

;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR

;; QUESTION SECTION:
;; www.isoc.org.       		IN	A

;; ANSWER SECTION:
www.isoc.org.       	300	IN	A	46.43.36.222
www.isoc.org.       	300	IN	RRSIG	A 7 3 300
20190319085001 20190305085001 54512 isoc.org.
Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln
9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinut
vZUvzobmUebXVPWhNsRPLHbb4tOeI=

;; Received 225 B
;; Time 2019-03-05 18:11:44 CET
;; From 9.9.9.9(a)853(TCP) in 286.9 ms

Exit status: 0


Haven´t found until now a reason for this ! May someone else did some
tests/have_an_idea ?


Best,

Erik



On So, 2019-02-10 at 15:15 +0100, ummeegge wrote:
> Hi all,
> did an fresh install from origin/next of Core 128 with the new
> OpenSSL-
> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
> points out that the TLS sessions operates only with TLSv1.2 instaed
> of
> the new delivered TLSv1.3 .
> 
> A test with Cloudflair (which uses TLSv1.3) looks like this -->
> 
> kdig Test:
> 
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> server(1.1.1.1), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
> bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
> Inc.,CN=cloudflare-dns.com
> ;; DEBUG:      SHA-256 PIN:
> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN:
> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL:
> 1
> 
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> ;; PADDING: 239 B
> 
> ;; QUESTION SECTION:
> ;; www.isoc.org.       		IN	A
> 
> ;; ANSWER SECTION:
> www.isoc.org.       	300	IN	A	46.43.36.222
> www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> 20190224085001 20190210085001 45830 isoc.org.
> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZ
> SVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sH
> JnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
> 
> ;; Received 468 B
> ;; Time 2019-02-10 12:40:19 CET
> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
> 
> 
> 
> And a test with s_client:
> 
> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
> CONNECTED(00000003)
> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
> DigiCert Global Root CA
> verify return:1
> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> verify return:1
> depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare,
> Inc.", CN = cloudflare-dns.com
> verify return:1
> ---
> Certificate chain
>  0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare,
> Inc.", CN = cloudflare-dns.com
>    i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>  1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>    i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
> Global Root CA
> ---
> Server certificate
> -----BEGIN CERTIFICATE-----
> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
> -----END CERTIFICATE-----
> subject=C = US, ST = California, L = San Francisco, O = "Cloudflare,
> Inc.", CN = cloudflare-dns.com
> 
> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
> 
> ---
> No client certificate CA names sent
> Peer signing digest: SHA256
> Peer signature type: ECDSA
> Server Temp Key: X25519, 253 bits
> ---
> SSL handshake has read 2787 bytes and written 421 bytes
> Verification: OK
> ---
> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
> Server public key is 256 bit
> Secure Renegotiation IS NOT supported
> Compression: NONE
> Expansion: NONE
> No ALPN negotiated
> Early data was not sent
> Verify return code: 0 (ok)
> ---
> ---
> Post-Handshake New Session Ticket arrived:
> SSL-Session:
>     Protocol  : TLSv1.3
>     Cipher    : TLS_CHACHA20_POLY1305_SHA256
>     Session-ID:
> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
>     Session-ID-ctx: 
>     Resumption PSK:
> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
>     PSK identity: None
>     PSK identity hint: None
>     TLS session ticket lifetime hint: 21600 (seconds)
>     TLS session ticket:
>     0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
> 00   ................
>     0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
> 6b   ...........}...k
>     0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
> 23   ..1Uw..\.......#
>     0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
> 3d   ....3]...u.hg.W=
>     0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
> ff   .qk."......7bi..
>     0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
> d9   Zx).........c...
>     0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
> cb   ;.p8V.jC....].~.
>     0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
> 06   .c..1qa.D.....C.
>     0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
> 0e   .....>.2....F...
>     0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
> 1b   ty.$.\....,.K...
>     00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
> 07   }.=.jX.NA..)....
>     00b0 - e1 92 dd 8d 44 69                                 ....Di
> 
>     Start Time: 1549799117
>     Timeout   : 7200 (sec)
>     Verify return code: 0 (ok)
>     Extended master secret: no
>     Max Early Data: 0
> ---
> read R BLOCK
> closed
> 
> 
> Which seems strange to me since Cloudflair offers TLSv1.3 but unbound
> initializes only TLSv1.2 .
> 
> Have check all working DoT servers from here --> 
> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too,
> but no TLSv1.3 at all...
> 
> 
> Did someone have similar behaviors ?
> 
> Best,
> 
> Erik
> 
> 
> 
> 

Re: OpenSSL-1.1.1a - No TLSv1.3 with unbound

[Michael Tremer]

[-- Attachment #1: Type: text/plain, Size: 15363 bytes --]

Hey,

Do you have any additional settings apart from the IPFire default unbound configuration?

-Michael

> On 5 Mar 2019, at 17:17, ummeegge <ummeegge(a)ipfire.org> wrote:
> 
> Hi all,
> really was hoping that things are changing with the testings of Core
> 128 and was then happy to see that OpenSSL-1.1.1b addresses a potential
> problem/solution  --> 
> https://www.openssl.org/news/changelog.html#x1
> but it doesn´t...
> Have currently Core 129 with unbound -1.9.0 and OpenSSL-1.1.1b
> installed -->
> 
> Version 1.9.0
> linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1b  26 Feb 2019
> linked modules: dns64 respip validator iterator
> BSD licensed, see LICENSE in source package for details.
> Report bugs to unbound-bugs(a)nlnetlabs.nl
> 
> but (only?) unbound uses no TLSv1.3 (curl and Apache does), tested with Quad9 and Cloudflare -->
> 
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(9.9.9.9), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> ;; DEBUG:      SHA-256 PIN: /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(CHACHA20-POLY1305)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 10011
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
> 
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
> 
> ;; QUESTION SECTION:
> ;; www.isoc.org.       		IN	A
> 
> ;; ANSWER SECTION:
> www.isoc.org.       	300	IN	A	46.43.36.222
> www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190319085001 20190305085001 54512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> 
> ;; Received 225 B
> ;; Time 2019-03-05 18:09:18 CET
> ;; From 9.9.9.9(a)853(TCP) in 142.4 ms
> 
> Exit status: 0
> 
> ========================================================================================================================
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
> ;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 24241
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
> 
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> ;; PADDING: 239 B
> 
> ;; QUESTION SECTION:
> ;; www.isoc.org.       		IN	A
> 
> ;; ANSWER SECTION:
> www.isoc.org.       	300	IN	A	46.43.36.222
> www.isoc.org.       	300	IN	RRSIG	A 7 3 300 20190319085001 20190305085001 54512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> 
> ;; Received 468 B
> ;; Time 2019-03-05 18:09:24 CET
> ;; From 1.1.1.1(a)853(TCP) in 19.3 ms
> 
> Exit status: 0
> 
> 
> whereby my "old" machine with unbound -->
> Version 1.8.1
> linked libs: libevent 2.1.8-stable (it uses epoll), OpenSSL 1.1.1a  20 Nov 2018
> linked modules: dns64 respip validator iterator
> BSD licensed, see LICENSE in source package for details.
> Report bugs to unbound-bugs(a)nlnetlabs.nl
> 
> uses it -->
> 
> 
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1), server(1.1.1.1), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\, Inc.,CN=cloudflare-dns.com
> ;; DEBUG:      SHA-256 PIN: V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN: PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-(AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 5997
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
> 
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
> ;; PADDING: 239 B
> 
> ;; QUESTION SECTION:
> ;; www.isoc.org.       		IN	A
> 
> ;; ANSWER SECTION:
> www.isoc.org.       	158	IN	A	46.43.36.222
> www.isoc.org.       	158	IN	RRSIG	A 7 3 300 20190319085001 20190305085001 54512 isoc.org. Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinutvZUvzobmUebXVPWhNsRPLHbb4tOeI=
> 
> ;; Received 468 B
> ;; Time 2019-03-05 18:11:44 CET
> ;; From 1.1.1.1(a)853(TCP) in 47.5 ms
> 
> Exit status: 0
> 
> =======================================================================
> 
> 
> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
> server(9.9.9.9), port(853), protocol(TCP)
> ;; DEBUG: TLS, imported 128 certificates from '/etc/ssl/certs/ca-
> bundle.crt'
> ;; DEBUG: TLS, received certificate hierarchy:
> ;; DEBUG:  #1, C=US,ST=California,L=Berkeley,O=Quad9,CN=*.quad9.net
> ;; DEBUG:      SHA-256 PIN:
> /SlsviBkb05Y/8XiKF9+CZsgCtrqPQk5bh47o0R3/Cg=
> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
> ;; DEBUG:      SHA-256 PIN:
> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
> ;; DEBUG: TLS, skipping certificate PIN check
> ;; DEBUG: TLS, The certificate is trusted. 
> ;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(ECDSA-SECP256R1-SHA256)-
> (AES-256-GCM)
> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 13744
> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL: 1
> 
> ;; EDNS PSEUDOSECTION:
> ;; Version: 0; flags: do; UDP size: 4096 B; ext-rcode: NOERROR
> 
> ;; QUESTION SECTION:
> ;; www.isoc.org.       		IN	A
> 
> ;; ANSWER SECTION:
> www.isoc.org.       	300	IN	A	46.43.36.222
> www.isoc.org.       	300	IN	RRSIG	A 7 3 300
> 20190319085001 20190305085001 54512 isoc.org.
> Mapbxw7G2F4QRTgrFg9P2uA2GYz2YnJIQu58t9MRdQJi4MU2EJeWqCRdUpy0kCHVCxDcDln
> 9u+hnlF271IjZG/fTPGhw0A4bgCtHXXqAr/89b83maNRuYw/DVO4JI20z4+7TYY18yQinut
> vZUvzobmUebXVPWhNsRPLHbb4tOeI=
> 
> ;; Received 225 B
> ;; Time 2019-03-05 18:11:44 CET
> ;; From 9.9.9.9(a)853(TCP) in 286.9 ms
> 
> Exit status: 0
> 
> 
> Haven´t found until now a reason for this ! May someone else did some
> tests/have_an_idea ?
> 
> 
> Best,
> 
> Erik
> 
> 
> 
> On So, 2019-02-10 at 15:15 +0100, ummeegge wrote:
>> Hi all,
>> did an fresh install from origin/next of Core 128 with the new
>> OpenSSL-
>> 1.1.1a . Have checked also DNS-over-TLS which works well but kdig
>> points out that the TLS sessions operates only with TLSv1.2 instaed
>> of
>> the new delivered TLSv1.3 .
>> 
>> A test with Cloudflair (which uses TLSv1.3) looks like this -->
>> 
>> kdig Test:
>> 
>> 
>> ;; DEBUG: Querying for owner(www.isoc.org.), class(1), type(1),
>> server(1.1.1.1), port(853), protocol(TCP)
>> ;; DEBUG: TLS, imported 135 certificates from '/etc/ssl/certs/ca-
>> bundle.crt'
>> ;; DEBUG: TLS, received certificate hierarchy:
>> ;; DEBUG:  #1, C=US,ST=California,L=San Francisco,O=Cloudflare\,
>> Inc.,CN=cloudflare-dns.com
>> ;; DEBUG:      SHA-256 PIN:
>> V6zes8hHBVwUECsHf7uV5xGM7dj3uMXIS9//7qC8+jU=
>> ;; DEBUG:  #2, C=US,O=DigiCert Inc,CN=DigiCert ECC Secure Server CA
>> ;; DEBUG:      SHA-256 PIN:
>> PZXN3lRAy+8tBKk2Ox6F7jIlnzr2Yzmwqc3JnyfXoCw=
>> ;; DEBUG: TLS, skipping certificate PIN check
>> ;; DEBUG: TLS, The certificate is trusted. 
>> ;; TLS session (TLS1.2)-(ECDHE-ECDSA-SECP256R1)-(AES-256-GCM)
>> ;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 51175
>> ;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 2; AUTHORITY: 0; ADDITIONAL:
>> 1
>> 
>> ;; EDNS PSEUDOSECTION:
>> ;; Version: 0; flags: do; UDP size: 1452 B; ext-rcode: NOERROR
>> ;; PADDING: 239 B
>> 
>> ;; QUESTION SECTION:
>> ;; www.isoc.org.       		IN	A
>> 
>> ;; ANSWER SECTION:
>> www.isoc.org.       	300	IN	A	46.43.36.222
>> www.isoc.org.       	300	IN	RRSIG	A 7 3 300
>> 20190224085001 20190210085001 45830 isoc.org.
>> g64C7zJUL1zqUBbcZVDcEKO05EHz19ZHwxr4i8kTieW8XgX63lLZwhJTL1UK0NxOGCPOZ
>> SVthWBp9HF9WnFjPsxsfkrxkOoz/Hcl1ZuTpWUTBLfBKqnpPJm2NJ2yoR7hPerUvtl0sH
>> JnIOczrHnAlCwZBo8OOw9tlW0va+706ZQ=
>> 
>> ;; Received 468 B
>> ;; Time 2019-02-10 12:40:19 CET
>> ;; From 1.1.1.1(a)853(TCP) in 18.0 ms
>> 
>> 
>> 
>> And a test with s_client:
>> 
>> [root(a)ipfire tmp]# openssl s_client -connect 1.1.1.1:853
>> CONNECTED(00000003)
>> depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN =
>> DigiCert Global Root CA
>> verify return:1
>> depth=1 C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>> verify return:1
>> depth=0 C = US, ST = California, L = San Francisco, O = "Cloudflare,
>> Inc.", CN = cloudflare-dns.com
>> verify return:1
>> ---
>> Certificate chain
>> 0 s:C = US, ST = California, L = San Francisco, O = "Cloudflare,
>> Inc.", CN = cloudflare-dns.com
>>   i:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>> 1 s:C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>>   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert
>> Global Root CA
>> ---
>> Server certificate
>> -----BEGIN CERTIFICATE-----
>> MIIFxjCCBUygAwIBAgIQAczjGN6fVn+rKySQH62nHTAKBggqhkjOPQQDAjBMMQsw
>> CQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMSYwJAYDVQQDEx1EaWdp
>> Q2VydCBFQ0MgU2VjdXJlIFNlcnZlciBDQTAeFw0xOTAxMjgwMDAwMDBaFw0yMTAy
>> MDExMjAwMDBaMHIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYw
>> FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZGZsYXJlLCBJbmMu
>> MRswGQYDVQQDExJjbG91ZGZsYXJlLWRucy5jb20wWTATBgcqhkjOPQIBBggqhkjO
>> PQMBBwNCAATFIHCMIEJQKB59REF8MHkpHGNeHUSbxfdxOive0qKksWw9ash3uMuP
>> LlBT/fQYJn9hN+3/wr7pC125fuHfHOJ0o4ID6DCCA+QwHwYDVR0jBBgwFoAUo53m
>> H/naOU/AbuiRy5Wl2jHiCp8wHQYDVR0OBBYEFHCV3FyjjmYH28uBEMar58OoRX+g
>> MIGsBgNVHREEgaQwgaGCEmNsb3VkZmxhcmUtZG5zLmNvbYIUKi5jbG91ZGZsYXJl
>> LWRucy5jb22CD29uZS5vbmUub25lLm9uZYcEAQEBAYcEAQAAAYcEop+ENYcQJgZH
>> AEcAAAAAAAAAAAAREYcQJgZHAEcAAAAAAAAAAAAQAYcQJgZHAEcAAAAAAAAAAAAA
>> ZIcQJgZHAEcAAAAAAAAAAABkAIcEop8kAYcEop8uATAOBgNVHQ8BAf8EBAMCB4Aw
>> HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGkGA1UdHwRiMGAwLqAsoCqG
>> KGh0dHA6Ly9jcmwzLmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwLqAsoCqG
>> KGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9zc2NhLWVjYy1nMS5jcmwwTAYDVR0g
>> BEUwQzA3BglghkgBhv1sAQEwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cuZGln
>> aWNlcnQuY29tL0NQUzAIBgZngQwBAgIwewYIKwYBBQUHAQEEbzBtMCQGCCsGAQUF
>> BzABhhhodHRwOi8vb2NzcC5kaWdpY2VydC5jb20wRQYIKwYBBQUHMAKGOWh0dHA6
>> Ly9jYWNlcnRzLmRpZ2ljZXJ0LmNvbS9EaWdpQ2VydEVDQ1NlY3VyZVNlcnZlckNB
>> LmNydDAMBgNVHRMBAf8EAjAAMIIBfgYKKwYBBAHWeQIEAgSCAW4EggFqAWgAdgCk
>> uQmQtBhYFIe7E6LMZ3AKPDWYBPkb37jjd80OyA3cEAAAAWiVHhSLAAAEAwBHMEUC
>> IQDlnoPeMXtFkRsy3Vs0eovk3ILKt01x6bgUdMlmQTFIvAIgcAn0lFSjiGzHm2eO
>> jDZJzMiP5Uaj0Jwub9GO8RkxkkoAdQCHdb/nWXz4jEOZX73zbv9WjUdWNv9KtWDB
>> tOr/XqCDDwAAAWiVHhVsAAAEAwBGMEQCIFC0n0JModeol8b/Qicxd5Blf/o7xOs/
>> Bk0j9hdc5N7jAiAQocYnHL9iMqTtFkh0vmSsII5NbiakM/2yDEXnwkPRvAB3ALvZ
>> 37wfinG1k5Qjl6qSe0c4V5UKq1LoGpCWZDaOHtGFAAABaJUeFJEAAAQDAEgwRgIh
>> AL3OPTBzOZpS5rS/uLzqMOiACCFQyY+mTJ+L0I9TcB3RAiEA4+SiPz0/5kFxvrk7
>> AKYKdvelgV1hiiPbM2YHY+/0BIkwCgYIKoZIzj0EAwIDaAAwZQIwez76hX2HTMur
>> /I3XRuwfdmVoa8J6ZVEVq+AZsE7DyQh7AV4WNLU+092BrPbnyVUFAjEAzUf5jdz1
>> pyc74lgOunC7LBE6cPtWbzfGpJiYyT/T+c5eIAwRYziKT0DKbaql7tiZ
>> -----END CERTIFICATE-----
>> subject=C = US, ST = California, L = San Francisco, O = "Cloudflare,
>> Inc.", CN = cloudflare-dns.com
>> 
>> issuer=C = US, O = DigiCert Inc, CN = DigiCert ECC Secure Server CA
>> 
>> ---
>> No client certificate CA names sent
>> Peer signing digest: SHA256
>> Peer signature type: ECDSA
>> Server Temp Key: X25519, 253 bits
>> ---
>> SSL handshake has read 2787 bytes and written 421 bytes
>> Verification: OK
>> ---
>> New, TLSv1.3, Cipher is TLS_CHACHA20_POLY1305_SHA256
>> Server public key is 256 bit
>> Secure Renegotiation IS NOT supported
>> Compression: NONE
>> Expansion: NONE
>> No ALPN negotiated
>> Early data was not sent
>> Verify return code: 0 (ok)
>> ---
>> ---
>> Post-Handshake New Session Ticket arrived:
>> SSL-Session:
>>    Protocol  : TLSv1.3
>>    Cipher    : TLS_CHACHA20_POLY1305_SHA256
>>    Session-ID:
>> FAA394DF4959235034E350399A968F5C945D413F68CC5D29191B209900735C01
>>    Session-ID-ctx: 
>>    Resumption PSK:
>> 414F9C16B3D4845BC0592B35CC2D28DBD9B807BCBCB95125870379E1AAA480C7
>>    PSK identity: None
>>    PSK identity hint: None
>>    TLS session ticket lifetime hint: 21600 (seconds)
>>    TLS session ticket:
>>    0000 - 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00
>> 00   ................
>>    0010 - 8f 9b bb d1 0a 9e a6 0d-df d3 9d 7d 8f c1 f1
>> 6b   ...........}...k
>>    0020 - 00 80 31 55 77 a3 b3 5c-fe 90 11 fb 8c ef b1
>> 23   ..1Uw..\.......#
>>    0030 - 9c 88 83 b0 33 5d 84 d6-1a 75 db 68 67 fb 57
>> 3d   ....3]...u.hg.W=
>>    0040 - ef 71 6b 7f 22 ae fa bf-d7 0d 12 37 62 69 01
>> ff   .qk."......7bi..
>>    0050 - 5a 78 29 97 8e ab a4 8e-e0 83 ab 0f 63 fa b4
>> d9   Zx).........c...
>>    0060 - 3b 08 70 38 56 db 6a 43-8c d3 e4 de 5d 1e 7e
>> cb   ;.p8V.jC....].~.
>>    0070 - 82 63 08 cd 31 71 61 17-44 a1 98 87 8a a5 43
>> 06   .c..1qa.D.....C.
>>    0080 - d1 f8 aa a7 ba 3e 99 32-a9 f8 a6 14 46 bd a2
>> 0e   .....>.2....F...
>>    0090 - 74 79 fa 24 c5 5c a2 12-81 cb 2c 85 4b 91 c1
>> 1b   ty.$.\....,.K...
>>    00a0 - 7d c3 3d c9 6a 58 12 4e-41 b7 eb 29 9e b6 90
>> 07   }.=.jX.NA..)....
>>    00b0 - e1 92 dd 8d 44 69                                 ....Di
>> 
>>    Start Time: 1549799117
>>    Timeout   : 7200 (sec)
>>    Verify return code: 0 (ok)
>>    Extended master secret: no
>>    Max Early Data: 0
>> ---
>> read R BLOCK
>> closed
>> 
>> 
>> Which seems strange to me since Cloudflair offers TLSv1.3 but unbound
>> initializes only TLSv1.2 .
>> 
>> Have check all working DoT servers from here --> 
>> https://dnsprivacy.org/wiki/display/DP/DNS+Privacy+Test+Servers too,
>> but no TLSv1.3 at all...
>> 
>> 
>> Did someone have similar behaviors ?
>> 
>> Best,
>> 
>> Erik
>> 
>> 
>> 
>> 
>