Unbound 1.9 tls-ciphers Settings

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Feb 19 17:11:27 UTC 2019

On Tue, Feb 19, 2019 at 06:37:41AM +0100, John wrote:

> Since this relaease 1.9. it is possible, to make settings for
>   tls-ciphers
>   tls-ciphersuites
>   tls-session-ticket-keys
> Unfortunately nowhere is written which values can be used

A key point of confusion for users is the distinction between
*cipher* selection and *protocol version* selection.  The cipherlist
settings DO NOT control the TLS protocol version.

Removing the "TLSv1.2" ciphers (the ones that got added in the TLS
1.2 spec) from the cipherlist DOES NOT disable TLS 1.2 negotiation,
it just reduces the security of TLS 1.2 when that protocol version
is negotiated.  So don't do that!

> If I wants to set i.e. only TLS 1.3 how have I to write it
> tls-ciphers: tls-1.3

No.  TLS 1.3 has a completely separate family of ciphers from
earlier protocol versions, and the OpenSSL cipherstring list
only affects TLS 1.2 and earlier.

> or have I to use tls-ciphersuites?

The "tls-ciphersuites" list is for TLS 1.3, but there's no compelling
reasons to modify it, you're unlikely to improve your configuration
by changing it.

If you want to disable TLS 1.2, unbound would have to provide an
interface to the protocol selection features of OpenSSL.  With
OpenSSL 1.1.0 and later, there are "MinProtocol" and "MaxProtocol"
controls, with 1.0.2 and earlier there's a protocol exclusion mask.


More information about the Unbound-users mailing list