On Mon, Mar 30, 2020 at 12:15:41PM +0200,
Remi Gacogne via dnsdist <dnsdist@mailman.powerdns.com> wrote
a message of 73 lines which said:
> What tool are you using to test? I can't reproduce that behaviour with
> openssl s_client,
I can:
% openssl s_client -connect dot.bortzmeyer.fr:853 -servername 2001:db8::1
CONNECTED(00000003)
closed
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 313 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
% openssl s_client -connect dot.bortzmeyer.fr:853 -servername dot.bortzmeyer.fr
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = dot.bortzmeyer.fr
verify return:1
---
Certificate chain
0 s:CN = dot.bortzmeyer.fr
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
[Everything works]
Since dot.bortzmeyer.fr is a pristine dnsdist 1.4.0, could it be a
paranoid IPS somewhere on the path? (AFAIK, there is none but you
never know, these days. As long as we don't have encrypted SNI, we
will have thee issues.)
_______________________________________________
dnsdist mailing list
dnsdist@mailman.powerdns.com
https://mailman.powerdns.com/mailman/listinfo/dnsdist
