[nsd-users] NSD 4.2.0rc1 pre-release available

Wouter Wijngaards wouter at nlnetlabs.nl
Tue Jun 11 13:25:11 UTC 2019 

Hi Andreas,

Fixed the ctx create code and the cipher selection you suggested (for
the next release).  Thanks for the suggestions, it is good to harden the
remote control connection too.

Best regards, Wouter

On 6/7/19 9:29 AM, A. Schulze wrote:
> 
> Am 06.06.19 um 11:29 schrieb Wouter Wijngaards:
>> NSD 4.2.0rc1 release candidate is available:
>> https://www.nlnetlabs.nl/downloads/nsd/nsd-4.2.0rc1.tar.gz
> 
>> - Patch to add support for tls service on a specified tls port,
>>   from Sara Dickinson (Sinodun).
> cool, the patch works here since March
> 
>> - TLS OCSP stapling support, enabled with tls-service-ocsp: filename,
>>   patch from Andreas Schulze.
> OCSP-Data are valid for a much shorter time then certificates.
> For this reason I renew OCSP-data daily.
> 
> Currently this mean, I restart nsd once a day.
> 
> At the long tail it would be helpful if updated certificates,
> private keys and ocsp-data would only require a reload.
> 
> 
>> - Disable TLS1.0, TLS1.1 and weak ciphers, enable
>>   CIPHER_SERVER_PREFERENCE, patch from Andreas Schulze.
> there is TLS setup code in
>   - server.c ~lines 1660...1270, server_tls_ctx_create()
>   - remote.c ~lines  250...300, remote_setup_ctx
> 
> the code for the same problem exists twice but only in server.c the
> "hardening" happen.
> Is this not implemented in remote.c to not break existing remote control
> installations?
> 
> Also I've a problem with the cipher selection
> "CHACHA20+ECDH:AESGCM+ECDH:!SHA:!AESCCM"
> ( server.c, line 1709 ) I suggested months ago:
> 
> It's redundant, prefer CHACHA20-POLY1305 over AESGCM and is not as
> readable as it could be.
> -> new Suggestion: SSL_CTX_set_cipher_list(ctx,
> "ECDHE+AESGCM:ECDHE+CHACHA20")
> 
> 
> Andreas
> 
> 
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20190611/c9c4a059/attachment.bin>

More information about the nsd-users mailing list