Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00

Sudheer Vinukonda Tue, 04 Jun 2019 16:03:41 -0700

 +1
We may need to also review the default settings for 
{{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and 
consistent with turning off TLSv1.1 and TLSv1.0?
Thanks,
Sudheer
    On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org> 
wrote:  
 
 Hi all,


in the spirit of 

    https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04


I’d like to propose that we change the defaults for our settings, to turn these 
two protocols off by default:

    proxy.config.ssl.TLSv1=0
    proxy.config.ssl.TLSv1_1=0
    proxy.config.ssl.client.TLSv1=0
    proxy.config.ssl.client.TLSv1_1=0


The code / features will still be there, and can either be turned on globally, 
or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.

Any concerns / objections?

— Leif

Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00

Reply via email to