ameshkov
commented
4 years ago I reckon you'd like to configure the minimum TLS version as well?
Open ammnt opened 4 years ago
ameshkov
commented
4 years ago I reckon you'd like to configure the minimum TLS version as well?
ammnt
commented
4 years ago @ameshkov, I think using the default maximum TLS version is sufficient. But control of cipther types will not interfere.
ameshkov
commented
4 years ago Well, cipher suites and TLS versions are connected. ECDH+AESGCM:EECDH+CHACHA20 simply aren't available if you disable TLS 1.2 and older versions.
ammnt
commented
4 years ago @ameshkov, yeah, I know. It may make sense to use predefined combinations of TLS versions and cipher types.
ammnt
commented
4 years ago @ameshkov, I have an alternative solution in the context of this task. In order not to make this difficult, I suggest to completely disable TLS 1.0 and TLS 1.1 (or even later...) support for encrypted protocols and upstream servers, or make it optional via yaml. Then we can be sure that vulnerable versions of protocols are not used. What do you think?🤔
ameshkov
commented
4 years ago Hmm, it is possible that we have already done this, could you please check it?
ammnt
commented
4 years ago Hmm, it is possible that we have already done this, could you please check it?
Yeah, no support of TLS 1.0 and 1.1 for encrypted protocols. But I don't know how to test this for upstream-servers🙄
ameshkov
commented
4 years ago I checked the source code and we do set min version to TLS 1.2
ammnt
commented
4 years ago @ameshkov, awesome!😙
Hello,
I would like to be able to control the cipher types for DoT. For example, I would like to use only these cipher types: ECDH+AESGCM:EECDH+CHACHA20.
It would be great to have an appropriate flag entry field for this or something like this.
Thank you.