Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@trafficserver.apache.org
Received-SPF: pass (nike.apache.org: domain of h.reindl@thelounge.net
 designates 91.118.73.15 as permitted sender)
Message-ID: <543DB2BD.6050003@thelounge.net>
Date: Wed, 15 Oct 2014 01:33:17 +0200
From: Reindl Harald <h.reindl@thelounge.net>
Organization: the lounge interactive design
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: users@trafficserver.apache.org
Subject: Re: POODLE and ATS configs
References: 
 <CAFKFyq7O_cXEXofQYQYAVxy7z8o+u4Zvd+9ksHUBLfD6Mdx1RA@mail.gmail.com>
	<1568469102.6745.1413328983786.JavaMail.yahoo@jws10001b.mail.ne1.yahoo.com>
 <CAHZAEpdxNBakiFiiiZvmDhu9OBNMd8go1tXP2dBwLFiR7cGjKg@mail.gmail.com>
In-Reply-To: 
 <CAHZAEpdxNBakiFiiiZvmDhu9OBNMd8go1tXP2dBwLFiR7cGjKg@mail.gmail.com>
OpenPGP: id=7F780279;
	url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="pjrNieB7uTuWhc6FKfpTemMhSHuNkkG1G"

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--pjrNieB7uTuWhc6FKfpTemMhSHuNkkG1G
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: quoted-printable


Am 15.10.2014 um 01:25 schrieb Jason J. W. Williams:
> We've been running our sites with SSLv3 off for sometime, since we
> only support IE7 and newer in our services.
>
> Disabling SSLv3 hurts folks who need to support IE6 clients primarily.

if they really do need MSIE6 it's one checkbox in the settings to enable =

TLS which i do at least since 2003 on every windows setup hence i was=20
shocked to get a complaint about disable ssl3 while all my test VM's=20
worked just fine

that was before EOL of WinXP
these days i would respond with "get rid of it or RTFM and enable TLS"

> On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley <sbeards@yahoo-inc.com=
> wrote:
>> Is there an easy way to quantify the impact before turning SSLv3 off? =
Maybe
>> by looking at logs?
>>
>>
>> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <briang@apache.org>=

>> wrote:
>>
>>
>> cc: users@
>>
>> For users who want to immediately disable SSLv3 you should only need t=
o
>> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
>> traffic_server.
>>
>> Brian
>>
>> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zwoop@apache.org> wrot=
e:
>>
>> Now that the POODLE is out of the bag, I think we should consider chan=
ging
>> this for v5.1.1:
>>
>>    {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART=
_TS,
>> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>>
>>
>> I believe this does have a drawback: certain browsers / UAs on some OS=
es
>> might not have TLS support. I think (but not 100% certain) that IE on
>> Windows/XP is one such case?
>>
>> Thoughts?
>>
>> =E2=80=94 Leif
>>
>> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exp=
loiting-ssl-30.html


--pjrNieB7uTuWhc6FKfpTemMhSHuNkkG1G
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iEYEARECAAYFAlQ9sr0ACgkQhmBjz394AnmNoACbBpOBYR9Ev53xI2Bn0oKJLtcX
gBwAnjRtIuzO2Yv/OF4/IxurNkw65I+/
=P6MR
-----END PGP SIGNATURE-----

--pjrNieB7uTuWhc6FKfpTemMhSHuNkkG1G--