[Unbound-users] weak ciphers enabled to remote-control nsd+unbound
Paul Wouters
paul at nohats.ca
Wed Nov 13 21:24:48 UTC 2013
On Wed, 13 Nov 2013, Andreas Schulze wrote:
> nsd and unbound can be controlled using nsd-control and unbound-control.
> SSL is used to ensure privacy and authentication. Although those connections
> are
> commonly used at localhost only they are usable over public networks by
> design.
>
> But the server allow weak ciphers. Users have no option to control these
> setting.
> I suggest to enhance the code to use a fixed cipher and protocol by default
> and optional make these settings configurable.
>
> Also DH key exchange would be nice (PFS,
> http://de.wikipedia.org/wiki/Perfect_Forward_Secrecy)
Actually, I suggest we adopt the patch that floated around last year to
allow people to use a pipe when running on localhost, which would be
much simpler then the entire TLS overhead. Keep the TLS for people
who wish to remote control their unbound instances, but I don't think
those are many. Whereas everyone with unbound-control/dnssec-trigger
setups now have to go through the overhead/complexity of TLS.
Paul
More information about the Unbound-users
mailing list