if (cfg->remote_control_use_cert == 0) {
/* No certificates are requested */
+#if defined(SSL_OP_NO_TLSv1_3)
+ /* in openssl 1.1.1, negotiation code for tls 1.3 does
+ * not allow the unauthenticated aNULL and eNULL ciphers */
+ SSL_CTX_set_options(rc->ctx, SSL_OP_NO_TLSv1_3);
+#endif
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
SSL_CTX_set_security_level(rc->ctx, 0);
#endif
- if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL, eNULL")) {
+ if(!SSL_CTX_set_cipher_list(rc->ctx, "aNULL:eNULL")) {
log_crypto_err("Failed to set aNULL cipher list");
daemon_remote_delete(rc);
return NULL;
- Combine write of tcp length and tcp query for dns over tls.
- nitpick fixes in example.conf.
- Fix above stub queries for type NS and useless delegation point.
+ - Fix unbound-control over pipe with openssl 1.1.1, the TLSv1.3
+ tls_choose_sigalg routine does not allow the ciphers for the pipe,
+ so use TLSv1.2.
3 April 2018: Wouter
- Fix #4043: make test fails due to v6 presentation issue in macOS.
free(c_cert);
} else {
/* Use ciphers that don't require authentication */
+#if defined(SSL_OP_NO_TLSv1_3)
+ /* in openssl 1.1.1, negotiation code for tls 1.3 does
+ * not allow the unauthenticated aNULL and eNULL ciphers */
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_3);
+#endif
#ifdef HAVE_SSL_CTX_SET_SECURITY_LEVEL
SSL_CTX_set_security_level(ctx, 0);
#endif
- if(!SSL_CTX_set_cipher_list(ctx, "aNULL, eNULL"))
+ if(!SSL_CTX_set_cipher_list(ctx, "aNULL:eNULL"))
ssl_err("Error setting NULL cipher!");
}
return ctx;
projects / thirdparty / unbound.git / commitdiff
