Hi,
In latest -snapshot, is there a method where one can enforce
in unbound tls1.3 with no SNI ? Locally is unencrypted - this is
for dns queries going out over the net.
I've been reading the unbound.conf manual and trying with unbound.conf like so:
forward-zone:
name: "." # use for ALL queries
forward-addr: 9.9.9.9@853 # Quad9 DoT
forward-addr: 149.112.112.112@853 # Quad9 DoT
forward-tls-upstream: yes
#tls-protocols: TLSv1.3
#tls-use-sni: no
#tls-ciphers:
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305:TLS_AES_128_GCM_SHA256"
#tls-ciphersuites:
"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305:TLS_AES_128_GCM_SHA256"
#tls-version: "TLSv1.3"
The above as commented works, but wireshark shows it's using tls1.2 & 1.3
Uncommenting any of commented entries above causes unbound to fail to start.
Alternatively, is there a way to enforce tls1.3 --no-sni globally for all
outgoing
connections?
thanks,
--