trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan-Frode Myklebust <janfr...@tanso.net>
Subject Re: Forward Secrecy ?
Date Sun, 24 Nov 2013 18:55:34 GMT
On Sun, Nov 24, 2013 at 08:56:30AM -0800, James Peach wrote:
> On Nov 24, 2013, at 6:47 AM, Jan-Frode Myklebust <janfrode@tanso.net> wrote:
> 
> > Is it possible to configure ATS for forward secrecy? I've tried using
> > the same cipher suites as we use for apache httpd,
> 
> Since it works in httpd, I assume that your OpenSSL supports the right set of cipher
suites?

Yes, it should. Here's a httpd/mod_ssl/openssl-1.0.1e-16.el6_5.x86_64 report:

	SSLCipherSuite EECDH+AES:EECDH+RC4:EECDH+AES256:EDH+AES:EDH+RC4:EDH+AES256:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
	https://www.ssllabs.com/ssltest/analyze.html?d=altibetamail.altibox.net

and ATS 4.0.2/openssl-1.0.1e-16.el6_5.x86_64 using same cipher list:

	CONFIG proxy.config.ssl.server.cipher_suite STRING EECDH+AES:EECDH+RC4:EECDH+AES256:EDH+AES:EDH+RC4:EDH+AES256:RC4-SHA:AES256-SHA:!aNULL:!eNULL:!EXP:!LOW:!MD5
	https://www.ssllabs.com/ssltest/analyze.html?d=dibs.tanso.net
	

Of the cipher list, only these are offered with ATS:
	
	TLS_RSA_WITH_RC4_128_SHA (0x5) 	128	
	TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 	256	

httpd/mod_ssl additionally offers:

	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		256

	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		256

	TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		256

	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		128

	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS		128

	TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS	



  -jf

Mime
View raw message