trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Beardsley <sbea...@yahoo-inc.com>
Subject Re: POODLE and ATS configs
Date Tue, 14 Oct 2014 23:23:03 GMT
Is there an easy way to quantify the impact before turning SSLv3 off? Maybe by looking at logs?


     On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <briang@apache.org> wrote:
   

 cc: users@
For users who want to immediately disable SSLv3 you should only need to change proxy.config.ssl.SSLv3
in records.config to 0 and bounce traffic_server.
Brian
On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zwoop@apache.org> wrote:

Now that the POODLE is out of the bag, I think we should consider changing this for v5.1.1:

  {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT,
"[0-1]", RECA_NULL}


I believe this does have a drawback: certain browsers / UAs on some OSes might not have TLS
support. I think (but not 100% certain) that IE on Windows/XP is one such case?

Thoughts?

— Leif

http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html



   
Mime
View raw message