Return-Path: X-Original-To: apmail-trafficserver-users-archive@www.apache.org Delivered-To: apmail-trafficserver-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 9E4B617440 for ; Wed, 15 Oct 2014 03:02:41 +0000 (UTC) Received: (qmail 45262 invoked by uid 500); 15 Oct 2014 03:02:41 -0000 Delivered-To: apmail-trafficserver-users-archive@trafficserver.apache.org Received: (qmail 45168 invoked by uid 500); 15 Oct 2014 03:02:40 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 45151 invoked by uid 99); 15 Oct 2014 03:02:40 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Oct 2014 03:02:40 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [71.6.165.248] (HELO cosmo.ogre.com) (71.6.165.248) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 15 Oct 2014 03:02:15 +0000 Received: by cosmo.ogre.com (8.14.8/8.14.8) with ESMTP id s9F32B8h003156 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NOT); Tue, 14 Oct 2014 20:02:12 -0700 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\)) Subject: Re: POODLE and ATS configs From: Leif Hedstrom In-Reply-To: Date: Tue, 14 Oct 2014 21:02:13 -0600 Cc: Scott Beardsley , "dev@trafficserver.apache.org" Content-Transfer-Encoding: quoted-printable Message-Id: <4D3E0F27-B2F8-458B-B943-DC738EDC73A7@apache.org> References: <1568469102.6745.1413328983786.JavaMail.yahoo@jws10001b.mail.ne1.yahoo.com> To: users@trafficserver.apache.org X-Mailer: Apple Mail (2.1878.6) X-Virus-Checked: Checked by ClamAV on apache.org On Oct 14, 2014, at 5:25 PM, Jason J. W. Williams = wrote: > We've been running our sites with SSLv3 off for sometime, since we > only support IE7 and newer in our services. >=20 > Disabling SSLv3 hurts folks who need to support IE6 clients primarily. You still have the option to enable it, of course: CONFIG proxy.config.ssl.SSLv3 INT 1 =97 Leif >=20 > -J >=20 > On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley = wrote: >> Is there an easy way to quantify the impact before turning SSLv3 off? = Maybe >> by looking at logs? >>=20 >>=20 >> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon = >> wrote: >>=20 >>=20 >> cc: users@ >>=20 >> For users who want to immediately disable SSLv3 you should only need = to >> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce >> traffic_server. >>=20 >> Brian >>=20 >> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom = wrote: >>=20 >> Now that the POODLE is out of the bag, I think we should consider = changing >> this for v5.1.1: >>=20 >> {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", = RECU_RESTART_TS, >> RR_NULL, RECC_INT, "[0-1]", RECA_NULL} >>=20 >>=20 >> I believe this does have a drawback: certain browsers / UAs on some = OSes >> might not have TLS support. I think (but not 100% certain) that IE on >> Windows/XP is one such case? >>=20 >> Thoughts? >>=20 >> =97 Leif >>=20 >> = http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploit= ing-ssl-30.html >>=20 >>=20 >>=20 >>=20