This should go into 4.2 I think ?
> On Feb 27, 2014, at 3:41 PM, "ASF subversion and git services (JIRA)" > <[email protected]> wrote: > > > [ > https://issues.apache.org/jira/browse/TS-2569?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13915138#comment-13915138 > ] > > ASF subversion and git services commented on TS-2569: > ----------------------------------------------------- > > Commit 963982e432a6fa5ef0f1968904c75571a3f6befb in trafficserver's branch > refs/heads/master from [~rwbarber2] > [ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=963982e ] > > TS-2569: set the default SSL options correctly > > We discovered that the proxy.config.ssl.server.honor_cipher_order=1 > setting was not working correctly. After investigating it was > determined that if you do not have a dest_ip=* in the ssl_multicert.config > file then the server cipher order setting will not be honored. The > proposed fix (which works) is to initialize the default context with > the necessary SSL options. > > >> ssl options are ignored if ssl_multicert.config does not contain an entry >> with dest_ip=* >> ----------------------------------------------------------------------------------------- >> >> Key: TS-2569 >> URL: https://issues.apache.org/jira/browse/TS-2569 >> Project: Traffic Server >> Issue Type: Bug >> Components: SSL >> Reporter: Ron Barber >> Assignee: Ron Barber >> Labels: Review >> Fix For: 5.0.0 >> >> Attachments: TS-2569.patch >> >> >> We discovered that the proxy.config.ssl.server.honor_cipher_order=1 setting >> was not working correctly. After investigating it was determined that if >> you do not have a dest_ip=* in the ssl_multicert.config file then the server >> cipher order setting will not be honored. >> ssl_multicert.config >> dest_ip=192.168.214.131 ssl_cert_name=cert.pem >> records.config >> CONFIG proxy.config.ssl.server.cipher_suite STRING >> RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!NULL >> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1 >> Result (client selection is honored): >> % echo | openssl s_client -connect 192.168.214.131:443 -cipher >> 'AES128-SHA:RC4-SHA' 2>&1 | grep 'Cipher is' >> New, TLSv1/SSLv3, Cipher is AES128-SHA >> % echo | openssl s_client -connect 192.168.214.131:443 -cipher >> 'RC4-SHA:AES128-SHA' 2>&1 | grep 'Cipher is' >> New, TLSv1/SSLv3, Cipher is RC4-SHA > > > > -- > This message was sent by Atlassian JIRA > (v6.1.5#6160)
