Unbound 1.9 tls-ciphers Settings

John2 · February 19, 2019, 5:37am

Hello Unbound List

Since this relaease 1.9. is it possible, to make settings for
tls-ciphers
tls-ciphersuites
tls-session-ticket-keys

Unfortunately nowhere is written which values can be used
In https://nlnetlabs.nl/documentation/unbound/unbound.conf/
is only written

tls-ciphers: <string with cipher list>

If I wants to set i.e. only TLS 1.3 how have I to write it
tls-ciphers: tls-1.3
or have I to use tls-ciphersuites?

Maybe someone can tell me about the values which I can use?

Regards
John

A_Schulze · February 19, 2019, 12:15pm

John via Unbound-users:

tls-ciphers: <string with cipher list>

assumed unbound is compiled/linked with openssl, then it's the usual openssl cipher selection 'language'
see "man ciphers" or https://www.openssl.org/docs/manmaster/man1/ciphers.html

Andreas

Chris1 · February 19, 2019, 12:54pm

Hmm.. I am unclear..

Would I disallow all TLS1.2 to allow only TLS1.3 ?

Chris1 · February 19, 2019, 1:57pm

So I would ! for all TLS 1.2 strings ? Leaving only the TLS1.3 suites ?

Maybe a example config line would be good please. Sorry this is more OpenSSL and off topic a bit.

Viktor_Dukhovni · February 19, 2019, 5:11pm

Since this relaease 1.9. it is possible, to make settings for

  tls-ciphers
  tls-ciphersuites
  tls-session-ticket-keys

Unfortunately nowhere is written which values can be used

A key point of confusion for users is the distinction between
*cipher* selection and *protocol version* selection. The cipherlist
settings DO NOT control the TLS protocol version.

Removing the "TLSv1.2" ciphers (the ones that got added in the TLS
1.2 spec) from the cipherlist DOES NOT disable TLS 1.2 negotiation,
it just reduces the security of TLS 1.2 when that protocol version
is negotiated. So don't do that!

If I wants to set i.e. only TLS 1.3 how have I to write it
tls-ciphers: tls-1.3

No. TLS 1.3 has a completely separate family of ciphers from
earlier protocol versions, and the OpenSSL cipherstring list
only affects TLS 1.2 and earlier.

or have I to use tls-ciphersuites?

The "tls-ciphersuites" list is for TLS 1.3, but there's no compelling
reasons to modify it, you're unlikely to improve your configuration
by changing it.

If you want to disable TLS 1.2, unbound would have to provide an
interface to the protocol selection features of OpenSSL. With
OpenSSL 1.1.0 and later, there are "MinProtocol" and "MaxProtocol"
controls, with 1.0.2 and earlier there's a protocol exclusion mask.