git commit: TS-2400: Our default SSL cipher-suite advocates speed over security

Thu, 22 May 2014 11:54:05 -0700 

Repository: trafficserver
Updated Branches:
  refs/heads/master 7785723e4 -> f9eb37260


TS-2400: Our default SSL cipher-suite advocates speed over security


Project: http://git-wip-us.apache.org/repos/asf/trafficserver/repo
Commit: http://git-wip-us.apache.org/repos/asf/trafficserver/commit/f9eb3726
Tree: http://git-wip-us.apache.org/repos/asf/trafficserver/tree/f9eb3726
Diff: http://git-wip-us.apache.org/repos/asf/trafficserver/diff/f9eb3726

Branch: refs/heads/master
Commit: f9eb372606fe1f86ba649e86539575bd30c17d07
Parents: 7785723
Author: Bryan Call <bc...@apache.org>
Authored: Thu May 22 11:53:08 2014 -0700
Committer: Bryan Call <bc...@apache.org>
Committed: Thu May 22 11:53:08 2014 -0700

----------------------------------------------------------------------
 CHANGES               | 2 ++
 mgmt/RecordsConfig.cc | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f9eb3726/CHANGES
----------------------------------------------------------------------
diff --git a/CHANGES b/CHANGES
index 5bcfa08..254cece 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
                                                          -*- coding: utf-8 -*-
 Changes with Apache Traffic Server 5.0.0
 
+  *) [TS-2400] Our default SSL cipher-suite advocates speed over security
+
   *) [TS-2818] TSHttpTxnServerAddrSet() doesn't update the server port
 
   *) [TS-2793] Remove UnixNetVConnection::selected_next_protocol.

http://git-wip-us.apache.org/repos/asf/trafficserver/blob/f9eb3726/mgmt/RecordsConfig.cc
----------------------------------------------------------------------
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index 91ac5d7..d316a7c 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1249,7 +1249,7 @@ RecordElement RecordsConfig[] = {
   ,
   {RECT_CONFIG, "proxy.config.ssl.number.threads", RECD_INT, "0", 
RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.ssl.server.cipher_suite", RECD_STRING, 
"RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL",
 RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
+  {RECT_CONFIG, "proxy.config.ssl.server.cipher_suite", RECD_STRING, 
"ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2",
 RECU_RESTART_TS, RR_NULL, RECC_NULL, NULL, RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.ssl.server.honor_cipher_order", RECD_INT, "0", 
RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
   ,

Reply via email to