This is an automated email from the ASF dual-hosted git repository.
neuman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 9718699 Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)
9718699 is described below
commit 9718699496098978ad615b20a1ad55dedee777e4
Author: Hank Beatty <[email protected]>
AuthorDate: Fri Feb 19 12:37:24 2021 -0500
Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)
The reason I did not turn off TLSv1.1 is because I had some issues getting
thing to work correctly with it off. The reason I did not turn on TLSv1.3 is
because it is not supported in CentOS 7.
TLSv1 and TLSv1.1 have been deprecated by all the major browsers since
March of 2020. We might want to look at logging the negotiated protocol if that
hasn't already been done.
---
CHANGELOG.md | 1 +
traffic_router/core/src/main/conf/server.xml | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8f7cc0e..a175f30 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -65,6 +65,7 @@ The format is based on [Keep a
Changelog](http://keepachangelog.com/en/1.0.0/).
- Pinned external actions used by Documentation Build and TR Unit Tests
workflows to commit SHA-1 and the Docker image used by the Weasel workflow to a
SHA-256 digest
- Updated Flot libraries to supported versions
- [apache/trafficcontrol](https://github.com/apache/trafficcontrol) is now a
Go module
+- Set Traffic Router to only accept TLSv1.1 and TLSv1.2 protocols in server.xml
- Updated Apache Tomcat from 8.5.57 to 8.5.63
- Updated Apache Tomcat Native from 1.2.16 to 1.2.23
diff --git a/traffic_router/core/src/main/conf/server.xml
b/traffic_router/core/src/main/conf/server.xml
index 49750fb..ec36cee 100644
--- a/traffic_router/core/src/main/conf/server.xml
+++ b/traffic_router/core/src/main/conf/server.xml
@@ -40,11 +40,11 @@
<Connector port="3333"
protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol"
maxThreads="10000"
connectionTimeout="10000"
mbeanPath="traffic-router:name=languidState" readyAttribute="Ready"
portAttribute="ApiPort"/>
<Connector port="3443"
protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol"
maxThreads="10000"
- scheme="https" secure="true"
SSLEnabled="true" clientAuth="false" sslProtocol="TLS" connectionTimeout="10000"
+ scheme="https" secure="true"
SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
mbeanPath="traffic-router:name=languidState"
readyAttribute="Ready" portAttribute="SecureApiPort" sendReasonPhrase="true"
sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation">
</Connector>
<Connector port="443"
protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol"
maxThreads="10000"
- scheme="https" secure="true"
SSLEnabled="true" clientAuth="false" sslProtocol="TLS" connectionTimeout="10000"
+ scheme="https" secure="true"
SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
mbeanPath="traffic-router:name=languidState"
readyAttribute="Ready" portAttribute="SecurePort" sendReasonPhrase="true"
sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation">
</Connector>
