trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: Deprecation of SSL v2/3
Date Mon, 25 Apr 2016 17:01:29 GMT


Am 25.04.2016 um 17:55 schrieb Phil Sorber:
> On Mon, Apr 25, 2016 at 3:33 AM Reindl Harald
>     just a notice again before i try to build with other flags
>     _____________________________________________
>
>     https://www.ssllabs.com/ssltest/
>
>     docs.trafficserver.apache.org
>     SSL 2 handshake compatibility   Yes
>
> I believe what is going on here is that we use SSLv23_server_method()
> which will negotiate the highest version of TLS supported by both sides,
> but does so with the SSLv2Hello handshake. This does not mean we
> necessarily support SSLv2/3.
>
>     www.thelounge.net
>     SSL 2 handshake compatibility   No
>
>
> It is my understanding that HTTPD matches the server method to only
> negotiate the version configured. This means it is using something like
> TLSv1_2_server_method() which only supports the TLS1.2 handshake. What
> is your HTTPD config?

as strict as the ATS configuration (see below) and so no reason for the 
current "ab" behavior

you can verify with https://www.ssllabs.com/ssltest/ the following two 
subdomains:

* secure.thelounge.net (httpd)
* www.thelounge.net (trafficserver)
_____________________________________

httpd:

SSLSessionCacheTimeout 900
SSLStaplingStandardCacheTimeout 86400
SSLStaplingErrorCacheTimeout 300
SSLStaplingReturnResponderErrors Off
SSLStaplingFakeTryLater Off
SSLProtocol All -SSLv2 -SSLv3
SSLFIPS Off
SSLCompression Off
SSLInsecureRenegotiation Off
SSLSessionTickets Off
SSLVerifyClient none
SSLHonorCipherOrder On
SSLCipherSuite 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
_____________________________________

Trafficserver:

CONFIG proxy.config.ssl.SSLv2 INT 0
CONFIG proxy.config.ssl.SSLv3 INT 0
CONFIG proxy.config.ssl.TLSv1 INT 1
CONFIG proxy.config.ssl.TLSv1_1 INT 1
CONFIG proxy.config.ssl.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.SSLv2 INT 1
CONFIG proxy.config.ssl.client.SSLv3 INT 1
CONFIG proxy.config.ssl.client.TLSv1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.server.multicert.filename STRING 
ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.private_key.path STRING 
/etc/trafficserver/ssl/
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.server.cipher_suite STRING 
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
CONFIG proxy.config.ssl.server.dhparams_file STRING 
/etc/trafficserver/ssl/dhparams.pem


Mime
View raw message