Return-Path: X-Original-To: apmail-trafficserver-users-archive@www.apache.org Delivered-To: apmail-trafficserver-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id ECC6017B30 for ; Thu, 6 Nov 2014 09:43:20 +0000 (UTC) Received: (qmail 92968 invoked by uid 500); 6 Nov 2014 09:43:20 -0000 Delivered-To: apmail-trafficserver-users-archive@trafficserver.apache.org Received: (qmail 92913 invoked by uid 500); 6 Nov 2014 09:43:20 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 92899 invoked by uid 99); 6 Nov 2014 09:43:20 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Nov 2014 09:43:20 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of h.reindl@thelounge.net designates 91.118.73.15 as permitted sender) Received: from [91.118.73.15] (HELO mail.thelounge.net) (91.118.73.15) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 06 Nov 2014 09:43:16 +0000 Message-ID: <545B4280.3060709@thelounge.net> Date: Thu, 06 Nov 2014 10:42:24 +0100 From: Reindl Harald Organization: the lounge interactive design User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: users@trafficserver.apache.org Subject: Re: ssl questions References: <54452F01.4090503@thelounge.net> <77193446-F895-4387-9021-7320DCF32C36@apache.org> In-Reply-To: <77193446-F895-4387-9021-7320DCF32C36@apache.org> OpenPGP: id=7F780279; url=http://arrakis.thelounge.net/gpg/h.reindl_thelounge.net.pub.txt Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="DpEm8RNGQwUG7skOdBrhE9uKiilbTrB7U" X-Spam-Report: ALL_TRUSTED,BAYES_00,USER_IN_ALL_SPAM_TO X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-203.0, tag-level=7.5, block-level=8.0 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --DpEm8RNGQwUG7skOdBrhE9uKiilbTrB7U Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: quoted-printable Am 20.10.2014 um 21:50 schrieb James Peach: >> On Oct 20, 2014, at 8:49 AM, Reindl Harald wr= ote: >> >> HTTPD: SSL 2 handshake compatibility Yes >> TS: SSL 2 handshake compatibility No > > We disabled SSLv2 by default on TS-787, Tue May 17 15:34:41 2011. that is *not* the same and frankly that breaks not only "ab", also older = browsers - please look at the thread below, handshake compatibility !=3D = protocol i have disabled sslv2 *asnd* sslv3 on any httpd without breaking older=20 clients and combined with the fact that ATS don't support DHE ciphers=20 "ssllabs" lists *a lot* of clients not able to talk with ATS over TLS http://comments.gmane.org/gmane.comp.apache.devel/54510 >> can that be the reason "ab -c 100 -n 100000" fails to a ATS? >> keep in mind that don't mean sslv3 or even sslv2 are enabled! > > Not really sure about that, but should be easy to test when I get a min= ute. see above >> HTTPD: Heartbeat (extension) Yes >> TS: Heartbeat (extension) No >> >> how does ATS that using the same openssl binaries? >> "OPENSSL_NO_HEARTBEATS=3D1" as ENV don't disable it for httpd > > You need to set OPENSSL_NO_HEARTBEATS=3D1 at OpenSSL build time i know but..... > I don't know why we would not be vulnerable to heartbleed with a vulner= able OpenSSL version. I poked around in OpenSSL and mod_ssl for a while a= nd AFAICT heart beats are enabled by default. I didn't see any special kn= ob that would turn it on. but https://www.ssllabs.com/ssltest/ says "Heartbeat (extension) No" on=20 a Fedora 20 machine with ATS and the same OS and SSL binaries than httpd --DpEm8RNGQwUG7skOdBrhE9uKiilbTrB7U Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRbQoAACgkQhmBjz394AnlErwCcDaXEUcW7vO0itEDz4NPKy1WH pEUAoI1IklDGCMuyiaHRVDQzv/lGd2TX =t3UX -----END PGP SIGNATURE----- --DpEm8RNGQwUG7skOdBrhE9uKiilbTrB7U--