[nsd-users] NSD 4.2.0rc1 pre-release available
A. Schulze
sca at andreasschulze.de
Fri Jun 7 07:29:11 UTC 2019
Am 06.06.19 um 11:29 schrieb Wouter Wijngaards:
> NSD 4.2.0rc1 release candidate is available:
> https://www.nlnetlabs.nl/downloads/nsd/nsd-4.2.0rc1.tar.gz
> - Patch to add support for tls service on a specified tls port,
> from Sara Dickinson (Sinodun).
cool, the patch works here since March
> - TLS OCSP stapling support, enabled with tls-service-ocsp: filename,
> patch from Andreas Schulze.
OCSP-Data are valid for a much shorter time then certificates.
For this reason I renew OCSP-data daily.
Currently this mean, I restart nsd once a day.
At the long tail it would be helpful if updated certificates,
private keys and ocsp-data would only require a reload.
> - Disable TLS1.0, TLS1.1 and weak ciphers, enable
> CIPHER_SERVER_PREFERENCE, patch from Andreas Schulze.
there is TLS setup code in
- server.c ~lines 1660...1270, server_tls_ctx_create()
- remote.c ~lines 250...300, remote_setup_ctx
the code for the same problem exists twice but only in server.c the
"hardening" happen.
Is this not implemented in remote.c to not break existing remote
control installations?
Also I've a problem with the cipher selection
"CHACHA20+ECDH:AESGCM+ECDH:!SHA:!AESCCM"
( server.c, line 1709 ) I suggested months ago:
It's redundant, prefer CHACHA20-POLY1305 over AESGCM and is not as
readable as it could be.
-> new Suggestion: SSL_CTX_set_cipher_list(ctx, "ECDHE+AESGCM:ECDHE+CHACHA20")
Andreas
More information about the nsd-users
mailing list