trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Sorber <sor...@apache.org>
Subject Re: Deprecation of SSL v2/3
Date Mon, 25 Apr 2016 22:23:24 GMT
On Mon, Apr 25, 2016 at 11:01 AM Reindl Harald <h.reindl@thelounge.net>
wrote:

>
>
> Am 25.04.2016 um 17:55 schrieb Phil Sorber:
> > On Mon, Apr 25, 2016 at 3:33 AM Reindl Harald
> >     just a notice again before i try to build with other flags
> >     _____________________________________________
> >
> >     https://www.ssllabs.com/ssltest/
> >
> >     docs.trafficserver.apache.org
> >     SSL 2 handshake compatibility   Yes
> >
> > I believe what is going on here is that we use SSLv23_server_method()
> > which will negotiate the highest version of TLS supported by both sides,
> > but does so with the SSLv2Hello handshake. This does not mean we
> > necessarily support SSLv2/3.
> >
> >     www.thelounge.net
> >     SSL 2 handshake compatibility   No
> >
> >
> > It is my understanding that HTTPD matches the server method to only
> > negotiate the version configured. This means it is using something like
> > TLSv1_2_server_method() which only supports the TLS1.2 handshake. What
> > is your HTTPD config?
>
> as strict as the ATS configuration (see below) and so no reason for the
> current "ab" behavior
>
> you can verify with https://www.ssllabs.com/ssltest/ the following two
> subdomains:
>
> * secure.thelounge.net (httpd)
> * www.thelounge.net (trafficserver)
> _____________________________________
>
> httpd:
>
> SSLSessionCacheTimeout 900
> SSLStaplingStandardCacheTimeout 86400
> SSLStaplingErrorCacheTimeout 300
> SSLStaplingReturnResponderErrors Off
> SSLStaplingFakeTryLater Off
> SSLProtocol All -SSLv2 -SSLv3
> SSLFIPS Off
> SSLCompression Off
> SSLInsecureRenegotiation Off
> SSLSessionTickets Off
> SSLVerifyClient none
> SSLHonorCipherOrder On
> SSLCipherSuite
>
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
> _____________________________________
>

ap_log_error(APLOG_MARK, APLOG_TRACE3, 0, s,
                 "Creating new SSL context (protocols: %s)", cp);

Can you turn on TRACE3 level logging in HTTPD and see if you can find the
output of that? Trying to trace through the code path in HTTPD to see what
they might be doing different than us.


>
> Trafficserver:
>
> CONFIG proxy.config.ssl.SSLv2 INT 0
> CONFIG proxy.config.ssl.SSLv3 INT 0
> CONFIG proxy.config.ssl.TLSv1 INT 1
> CONFIG proxy.config.ssl.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.SSLv2 INT 1
> CONFIG proxy.config.ssl.client.SSLv3 INT 1
> CONFIG proxy.config.ssl.client.TLSv1 INT 1
> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1
> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.server.multicert.filename STRING
> ssl_multicert.config
> CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.private_key.path STRING
> /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/
> CONFIG proxy.config.ssl.server.cipher_suite STRING
>
> ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1
> CONFIG proxy.config.ssl.server.dhparams_file STRING
> /etc/trafficserver/ssl/dhparams.pem
>
>

Mime
View raw message