mirror of
https://github.com/coredns/coredns.git
synced 2026-07-10 17:50:12 -04:00
fix(tls): use Go TLS defaults (#8227)
Remove fixed TLS 1.2 cipher suite list and maximum TLS version so crypto/tls can use its maintained defaults. Keep TLS 1.2 as the minimum supported version. Document the shared TLS default behavior for plugins that expose TLS configuration and add coverage to ensure CoreDNS leaves Go-managed TLS fields unset. Signed-off-by: Ville Vesilehto <ville@vesilehto.fi>
This commit is contained in:
@@ -39,6 +39,9 @@ set to verify\_if\_given or require\_and\_verify.
|
||||
The keylog can be specified to export TLS master secrets in key log format to allow external programs
|
||||
to decrypt TLS connections. It compromises security and should only be used for debugging!
|
||||
|
||||
CoreDNS sets the minimum TLS version to TLS 1.2. The maximum TLS version, TLS 1.2 cipher suites, and
|
||||
key exchange mechanisms use the Go `crypto/tls` defaults.
|
||||
|
||||
## Examples
|
||||
|
||||
Start a DNS-over-TLS server that picks up incoming DNS-over-TLS queries on port 5553 and uses the
|
||||
|
||||
Reference in New Issue
Block a user