stubby icon indicating copy to clipboard operation
stubby copied to clipboard
verified publisher icon getdnsapi

Option to see what TLS version and cipher is negotiated?

Open eccgecko opened this issue 6 years ago • 1 comments

Is there an option to see in the stubby logs what version of TLS has been negotiated and what cipher-suite was used for each connection to a server? I can’t seem to find it anywhere even with -l and -v 7 included when starting the stubby daemon. It would definitely be a most welcome feature if possible?

eccgecko avatar Feb 15 '19 13:02 eccgecko

There isn't an option in the log at the moment, but you can check the TLS version for a single query against a particular server using the tool below - it should be installed alongside stubby:

./getdns_server_mon @9.9.9.9~dns.quad9.net tls-auth DNS Lookup name: getdnsapi.net DNS Lookup RR type: AAAA getdns result: At least one response was returned (900) Transport: TLS RTT: 742ms Authentication: Success Certificate expires: 2020-09-24 12:00:00 UTC TLS version: TLSv1.2 TLS authentication: Opportunistic Authentication succeeded

Adding this to a verbose log and also outputting the cipher suite is a good idea though..... Otherwise the best option is to use Wireshark to check the Server Hello

saradickinson avatar Feb 16 '19 13:02 saradickinson