trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: POODLE and ATS configs
Date Wed, 15 Oct 2014 03:02:13 GMT

On Oct 14, 2014, at 5:25 PM, Jason J. W. Williams <jasonjwwilliams@gmail.com> wrote:

> We've been running our sites with SSLv3 off for sometime, since we
> only support IE7 and newer in our services.
> 
> Disabling SSLv3 hurts folks who need to support IE6 clients primarily.


You still have the option to enable it, of course:

	CONFIG proxy.config.ssl.SSLv3 INT 1


— Leif


> 
> -J
> 
> On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley <sbeards@yahoo-inc.com> wrote:
>> Is there an easy way to quantify the impact before turning SSLv3 off? Maybe
>> by looking at logs?
>> 
>> 
>> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <briang@apache.org>
>> wrote:
>> 
>> 
>> cc: users@
>> 
>> For users who want to immediately disable SSLv3 you should only need to
>> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
>> traffic_server.
>> 
>> Brian
>> 
>> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>> 
>> Now that the POODLE is out of the bag, I think we should consider changing
>> this for v5.1.1:
>> 
>>  {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
>> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>> 
>> 
>> I believe this does have a drawback: certain browsers / UAs on some OSes
>> might not have TLS support. I think (but not 100% certain) that IE on
>> Windows/XP is one such case?
>> 
>> Thoughts?
>> 
>> — Leif
>> 
>> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>> 
>> 
>> 
>> 


Mime
View raw message