Can unbound answer both DoH and DoT on the same port ?
ch at 0x.co
ch at 0x.co
Sat Jan 6 18:51:24 UTC 2024
I have a working unbound server that answers DoH queries on tcp 443.
I use a letsencrypt SSL certificate and it passes properly with both curl
and firefox.
I was curious if I could query the exact same server with a DoT client:
# kdig -d @doh.mydomain.com:443 +tls-ca cnn.com
;; DEBUG: Querying for owner(cnn.com.), class(1), type(1),
server(doh.mydomain.com), port(443), protocol(TCP)
;; DEBUG: TLS, imported 145 system certificates
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=mydomain.com
;; DEBUG: SHA-256 PIN: XzzPRPTjAqSgKmDsYY/Oxxxxxxxxxx68Bldoxxxxxxxx
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is NOT trusted. The certificate issuer is
unknown.
;; WARNING: TLS, handshake failed (Error in the certificate.)
;; ERROR: failed to query server doh.mydomain.com at 443(TCP)
So I can create a DoT query over port 443 and it appears this would work but
... a TLS handshake failure ...
Is this just a problem specific to letsencrypt and this portion of the error:
;; DEBUG: TLS, imported 145 system certificates
Or will I have additional difficulties in trying to answer *both* DoH and DoT
over port 443 from the same unbound instance ?
Thanks.
More information about the Unbound-users
mailing list