[nsd-users] NSD 4.2.0rc1 pre-release available

A. Schulze sca at andreasschulze.de
Fri Jun 7 07:29:11 UTC 2019

Am 06.06.19 um 11:29 schrieb Wouter Wijngaards:
> NSD 4.2.0rc1 release candidate is available:
> https://www.nlnetlabs.nl/downloads/nsd/nsd-4.2.0rc1.tar.gz

> - Patch to add support for tls service on a specified tls port,
>   from Sara Dickinson (Sinodun).
cool, the patch works here since March

> - TLS OCSP stapling support, enabled with tls-service-ocsp: filename,
>   patch from Andreas Schulze.
OCSP-Data are valid for a much shorter time then certificates.
For this reason I renew OCSP-data daily.

Currently this mean, I restart nsd once a day.

At the long tail it would be helpful if updated certificates,
private keys and ocsp-data would only require a reload.

> - Disable TLS1.0, TLS1.1 and weak ciphers, enable
>   CIPHER_SERVER_PREFERENCE, patch from Andreas Schulze.
there is TLS setup code in
   - server.c ~lines 1660...1270, server_tls_ctx_create()
   - remote.c ~lines  250...300, remote_setup_ctx

the code for the same problem exists twice but only in server.c the  
"hardening" happen.
Is this not implemented in remote.c to not break existing remote  
control installations?

Also I've a problem with the cipher selection  
( server.c, line 1709 ) I suggested months ago:

It's redundant, prefer CHACHA20-POLY1305 over AESGCM and is not as  
readable as it could be.
-> new Suggestion: SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")


More information about the nsd-users mailing list