[jira] [Commented] (TS-2400) Our default SSL cipher-suite advocates speed over security

Wed, 15 Jan 2014 01:01:28 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-2400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13871818#comment-13871818
 ] 

Igor Galić commented on TS-2400:
--------------------------------

I've been actively testing a similar setup for my browser and today I ran into 
the first instance I cannot comprehend, at all:

With SSLv3 (protocol) disabled, but with enough cipher-suite overlap, *and* 
protocol overlap, I was not able to negotiate a connection. Troubling. 
Especially considering the [site uses 
SNI|https://www.ssllabs.com/ssltest/analyze.html?d=animeftw.tv]  I'd like to 
find out the reasons, so far I'm baffled. I thought we could just get rid off 
SSLv3, apparently I'm wrong.

I'm suspecting the difference to be in the initial sending of an SSLv3 Client 
Hello, vs a TLS Client Hello. The server accepts the SSLv3 hello but not the 
TLS Client Hello, and then proceeds to negotiate CAMELIA-256 with my browser. 
That's just plain weird.

But especially considering that ATS needs to speak SSL both ways (as 
forward/transparent proxy in client mode and in reverse proxy mode as server), 
I need to either reconsider my stance on disabling SSLv3 (at least as Protocol)

> Our default SSL cipher-suite advocates speed over security
> ----------------------------------------------------------
>
>                 Key: TS-2400
>                 URL: https://issues.apache.org/jira/browse/TS-2400
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: Configuration, SSL
>            Reporter: Igor Galić
>            Assignee: Igor Galić
>             Fix For: 4.2.0
>
>
> Our default cipher-suite advocates speed over security:
> {code}
> RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
> {code}
> Worse yet, it still has RC4 in there, along with some other bad defaults. RC4 
> must be eradicated: 
> https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx?Redirected=true
> We should by default advocate security, which means, we should advocate 
> Perfect Forward Secrecy, which means we should also advocate OpenSSL >= 
> 1.0.1e 



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to