trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: SSL and Reverse Proxy
Date Mon, 18 Jul 2016 09:05:21 GMT


Am 18.07.2016 um 11:01 schrieb Chee, Anthony [COMP]:
> The cipher-suite is from https://cipherli.st/

lol - a site which is mixing unencrpyted and encrypted content giving 
TLS recommendations sounds like blind people talking about colors

(http://hosted-oswa.org/piwik/piwik.php?idsite=33)

> "Yes, give me a ciphersuite that works with legacy / old software."

i gave you one which is here in prodcution for a ton of domains and 
several services!

> -----Original Message-----
> From: Reindl Harald [mailto:h.reindl@thelounge.net]
> Sent: Monday, 18 July 2016 4:52 PM
> To: users@trafficserver.apache.org
> Subject: Re: SSL and Reverse Proxy
>
>
>
> Am 18.07.2016 um 09:37 schrieb Chee, Anthony [COMP]:
>> CONFIG proxy.config.ssl.server.cipher_suite
>> EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-S
>> HA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-
>> AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:
>> ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:E
>> CDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RS
>> A-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC
>> 3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:
>> AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD
>> 5:!PSK:!RC4
>
> from where do you have that ciphersuite?
>
> "DHE-RSA-AES128-GCM-SHA384" as example is nonsense because it does not exist, it's AES256/SHA384
or AES128/SHA256 and facing such mistake i don't want to look at the rest - i suggest don't
touch such settings until you understand what you are doing
>
> try that one:
> CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
> ________________________
>
> "openssl ciphers -v" will give you valid ciphers
>
>
> [harry@rh:~]$ openssl ciphers -v | grep GCM | grep AES128
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128)
> Mac=AEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
> Enc=AESGCM(128) Mac=AEAD
> AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
> DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128)
> Mac=AEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128)
> Mac=AEAD
>
>
> [http://mlm.polyu.edu.hk/intimate/templates/images/PolyU/PolyU_Email_Signature.jpg]
>
> Disclaimer:
>
> This message (including any attachments) contains confidential information intended for
a specific individual and purpose. If you are not the intended recipient, you should delete
this message and notify the sender and The Hong Kong Polytechnic University (the University)
immediately. Any disclosure, copying, or distribution of this message, or the taking of any
action based on it, is strictly prohibited and may be unlawful.
>
> The University specifically denies any responsibility for the accuracy or quality of
information obtained through University E-mail Facilities. Any views and opinions expressed
are only those of the author(s) and do not necessarily represent those of the University and
the University accepts no liability whatsoever for any losses or damages incurred or caused
to any party as a result of the use of such information.



Mime
View raw message