Hello,
having upgraded to unbound 1.24, I find that since my server knows TL1.3, TLS1.2 is disabled.
But I have old Android 10 clients (not possible to upgrade) which cannot do 1.3 for the "private DNS" feature, which is,
as far as I know, the only way to specify a DNS to an android device not given by the local network.
What can I have as a solution for those old clients (perfectly functionals for their use, so buying new dvices would be seen as a waste)
Hi Erwan,
There is now this PR [1] that addresses some issues around TLS protocol configuration.
Among other things it:
- introduces a new `tls-protocols` configuration option,
- brings back TLS1.2 support by default.
This will be included in the next feature release of Unbound, probably 1.25.0.
Best regards,
-- Yorgos
Thanks
There is now this PR [1] that addresses some issues around TLS
protocol configuration.
Among other things it:
- introduces a new `tls-protocols` configuration option,
- brings back TLS1.2 support by default.This will be included in the next feature release of Unbound, probably
1.25.0.
While I acknowledge there may be cases where this is desireable
or necessary, SSLlabs.com's checker then downgrades your rating.
I'm hoping that the way to re-establish TLS1.3-only is
well-documented and possibly also mentioned in the release
notes...
Best regards,
- Håvard
Hi Håvard,
Indeed, you would be able to selectively enable the version(s) you want to support with the new 'tls-protocols' option.
By default both 1.2 and 1.3.
Best regards,
-- Yorgos