trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jason J. W. Williams" <jasonjwwilli...@gmail.com>
Subject Re: POODLE and ATS configs
Date Tue, 14 Oct 2014 23:25:56 GMT
We've been running our sites with SSLv3 off for sometime, since we
only support IE7 and newer in our services.

Disabling SSLv3 hurts folks who need to support IE6 clients primarily.

-J

On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley <sbeards@yahoo-inc.com> wrote:
> Is there an easy way to quantify the impact before turning SSLv3 off? Maybe
> by looking at logs?
>
>
> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <briang@apache.org>
> wrote:
>
>
> cc: users@
>
> For users who want to immediately disable SSLv3 you should only need to
> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
> traffic_server.
>
> Brian
>
> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zwoop@apache.org> wrote:
>
> Now that the POODLE is out of the bag, I think we should consider changing
> this for v5.1.1:
>
>   {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>
>
> I believe this does have a drawback: certain browsers / UAs on some OSes
> might not have TLS support. I think (but not 100% certain) that IE on
> Windows/XP is one such case?
>
> Thoughts?
>
> — Leif
>
> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>
>
>
>

Mime
View raw message