On Mon, Mar 30, 2020 at 12:15:41PM +0200, Remi Gacogne via dnsdist <dnsdist@mailman.powerdns.com> wrote a message of 73 lines which said:
> What tool are you using to test? I can't reproduce that behaviour with > openssl s_client, I can: % openssl s_client -connect dot.bortzmeyer.fr:853 -servername 2001:db8::1 CONNECTED(00000003) closed --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 313 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 0 (ok) % openssl s_client -connect dot.bortzmeyer.fr:853 -servername dot.bortzmeyer.fr CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = dot.bortzmeyer.fr verify return:1 --- Certificate chain 0 s:CN = dot.bortzmeyer.fr i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 i:O = Digital Signature Trust Co., CN = DST Root CA X3 --- Server certificate [Everything works] Since dot.bortzmeyer.fr is a pristine dnsdist 1.4.0, could it be a paranoid IPS somewhere on the path? (AFAIK, there is none but you never know, these days. As long as we don't have encrypted SNI, we will have thee issues.) _______________________________________________ dnsdist mailing list dnsdist@mailman.powerdns.com https://mailman.powerdns.com/mailman/listinfo/dnsdist