[trafficcontrol] branch 5.1.x updated: Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)

Fri, 19 Feb 2021 14:25:32 -0800 

This is an automated email from the ASF dual-hosted git repository.

ocket8888 pushed a commit to branch 5.1.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/5.1.x by this push:
     new 3210a39  Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)
3210a39 is described below

commit 3210a3903d493c23306c725d1d95c84fbbbcbc7f
Author: Hank Beatty <[email protected]>
AuthorDate: Fri Feb 19 12:37:24 2021 -0500

    Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)
    
    The reason I did not turn off TLSv1.1 is because I had some issues getting 
thing to work correctly with it off. The reason I did not turn on TLSv1.3 is 
because it is not supported in CentOS 7.
    
    TLSv1 and TLSv1.1 have been deprecated by all the major browsers since 
March of 2020. We might want to look at logging the negotiated protocol if that 
hasn't already been done.
    
    (cherry picked from commit 9718699496098978ad615b20a1ad55dedee777e4)
---
 CHANGELOG.md                                 | 1 +
 traffic_router/core/src/main/conf/server.xml | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 15c5a02..a2dc9d9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -56,6 +56,7 @@ The format is based on [Keep a 
Changelog](http://keepachangelog.com/en/1.0.0/).
 =======
 - Updated Flot libraries to supported versions
 - [apache/trafficcontrol](https://github.com/apache/trafficcontrol) is now a 
Go module
+- Set Traffic Router to only accept TLSv1.1 and TLSv1.2 protocols in server.xml
 - Updated Apache Tomcat from 8.5.57 to 8.5.63
 - Updated Apache Tomcat Native from 1.2.16 to 1.2.23
 
diff --git a/traffic_router/core/src/main/conf/server.xml 
b/traffic_router/core/src/main/conf/server.xml
index 49750fb..ec36cee 100644
--- a/traffic_router/core/src/main/conf/server.xml
+++ b/traffic_router/core/src/main/conf/server.xml
@@ -40,11 +40,11 @@
                <Connector port="3333" 
protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol"
 maxThreads="10000"
                                   connectionTimeout="10000" 
mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" 
portAttribute="ApiPort"/>
                <Connector port="3443" 
protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol"
 maxThreads="10000"
-                                  scheme="https" secure="true" 
SSLEnabled="true" clientAuth="false" sslProtocol="TLS" connectionTimeout="10000"
+                                  scheme="https" secure="true" 
SSLEnabled="true" clientAuth="false" sslProtocol="TLS" 
protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
                                   mbeanPath="traffic-router:name=languidState" 
readyAttribute="Ready" portAttribute="SecureApiPort" sendReasonPhrase="true"
                                   
sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation">
 </Connector>
                <Connector port="443" 
protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol"
 maxThreads="10000"
-                                  scheme="https" secure="true" 
SSLEnabled="true" clientAuth="false" sslProtocol="TLS" connectionTimeout="10000"
+                                  scheme="https" secure="true" 
SSLEnabled="true" clientAuth="false" sslProtocol="TLS" 
protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
                                   mbeanPath="traffic-router:name=languidState" 
readyAttribute="Ready" portAttribute="SecurePort" sendReasonPhrase="true"
                                   
sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation">
                </Connector>

Reply via email to