trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Chee, Anthony [COMP]" <anthony.c...@polyu.edu.hk>
Subject RE: SSL and Reverse Proxy
Date Mon, 18 Jul 2016 09:01:39 GMT
The cipher-suite is from https://cipherli.st/ -> "Yes, give me a ciphersuite that works
with legacy / old software."

-----Original Message-----
From: Reindl Harald [mailto:h.reindl@thelounge.net]
Sent: Monday, 18 July 2016 4:52 PM
To: users@trafficserver.apache.org
Subject: Re: SSL and Reverse Proxy



Am 18.07.2016 um 09:37 schrieb Chee, Anthony [COMP]:
> CONFIG proxy.config.ssl.server.cipher_suite
> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-S
> HA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-
> AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:
> ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:E
> CDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RS
> A-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC
> 3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:
> AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD
> 5:!PSK:!RC4

from where do you have that ciphersuite?

"DHE-RSA-AES128-GCM-SHA384" as example is nonsense because it does not exist, it's AES256/SHA384
or AES128/SHA256 and facing such mistake i don't want to look at the rest - i suggest don't
touch such settings until you understand what you are doing

try that one:
CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
________________________

"openssl ciphers -v" will give you valid ciphers


[harry@rh:~]$ openssl ciphers -v | grep GCM | grep AES128
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128)
Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128)
Mac=AEAD


[http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]

Disclaimer:

This message (including any attachments) contains confidential information intended for a
specific individual and purpose. If you are not the intended recipient, you should delete
this message and notify the sender and The Hong Kong Polytechnic University (the University)
immediately. Any disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited and may be unlawful.

The University specifically denies any responsibility for the accuracy or quality of information
obtained through University E-mail Facilities. Any views and opinions expressed are only those
of the author(s) and do not necessarily represent those of the University and the University
accepts no liability whatsoever for any losses or damages incurred or caused to any party
as a result of the use of such information.

Mime
View raw message