trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: ssl questions
Date Mon, 20 Oct 2014 19:57:04 GMT

Am 20.10.2014 um 21:50 schrieb James Peach:
>
>> On Oct 20, 2014, at 8:49 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
>>
>> HTTPD: SSL 2 handshake compatibility Yes
>> TS:    SSL 2 handshake compatibility No
>>
>
> We disabled SSLv2 by default on TS-787, Tue May 17 15:34:41 2011.

but that has nothing to do with "SSL 2 handshake compatibility" i guess

https://www.ssllabs.com/ssltest/

compare the results of HTTPD / ATS
both with no SSLv2 and SSLv3

>> can that be the reason "ab -c 100 -n 100000" fails to a ATS?
>> keep in mind that don't mean sslv3 or even sslv2 are enabled!
>
> Not really sure about that, but should be easy to test when I get a minute.

thanks!

>> HTTPD: Heartbeat (extension) Yes
>> TS:    Heartbeat (extension) No
>>
>> how does ATS that using the same openssl binaries?
>> "OPENSSL_NO_HEARTBEATS=1" as ENV don't disable it for httpd
>
> You need to set OPENSSL_NO_HEARTBEATS=1 at OpenSSL build time

i am aware of that
sadly

"OPENSSL_NO_DEFAULT_ZLIB=1" works as env-var for other historical issues

> I don't know why we would not be vulnerable to heartbleed with a vulnerable OpenSSL version.
I poked around in OpenSSL and mod_ssl for a while and AFAICT heart beats are enabled by default.
I didn't see any special knob that would turn it on.

well, i just compared https://www.ssllabs.com/ssltest/ aginst a pure 
HTTPD server and a ATS server on the same patch level with Fedora 20 and 
wondered that ATS is listed as "Heartbeat (extension) No" while HTTPD 
shows a yes



Mime
View raw message