Unbound sets SSL_CTX_set_cipher_list(rc->ctx, "aNULL") in
daemon/remote.c, you can get the list of aNULL ciphers(1) with
$ openssl ciphers aNULL
For me that is a long list of ciphers.
I do not really know what the correct list is to set here. It seems
reasonable that authentication has already been handled by dh and unix
socket.
Are you using OpenSSL 1.1? Apparently it introduced security levels and
by default doesn't allow aNULL ciphers. I just commited a version to our
repository that sets the security level to 0 for the remote control ssl
context when control-use-cert is no.
Are you using OpenSSL 1.1? Apparently it introduced security levels and
by default doesn't allow aNULL ciphers. I just commited a version to our
repository that sets the security level to 0 for the remote control ssl
context when control-use-cert is no.
Hello Ralph,
without testing I would say that's the key!
Just looked into the openssl-1.1.x source and found rare documentation.
I'll apply your solution an report...
Are you using OpenSSL 1.1? Apparently it introduced security levels and
by default doesn't allow aNULL ciphers. I just commited a version to our
repository that sets the security level to 0 for the remote control ssl
context when control-use-cert is no.
confirmed.
for reference I attache my minimalistic, not portable patch...