Hey Shmulik,
I put my responses inline. Hopefully someone will correct me if I got
something wrong.
Let me know if you have more questions.

On Tue, Aug 8, 2017 at 12:26 AM, Shmulik Asafi <shmul...@qwilt.com> wrote:

> We're working on tightening our SSL cipher suites for TC installation and
> I have two broad questions in this regard:
> 1 - What are the recommendations on enabled TLS protocols and cipher
> suites for the control plane components (e.g. Traffic Ops) and for the data
> plane components (i.e. Traffic Router and caches)? I assume the data plane
> must be looser to handle older clients, but would really appreciate actual
> practices you have in the field for TC. Also, does the default meet those
> recommendations?
[DN] The cipher suites for TO are defined in the connection string the
cdn.conf file. It looks like the default is
We use the default Java cipher suites for TR. You can find that list here:
The cipher suites for ATS are defined in a param called CONFIG
proxy.config.ssl.server.cipher_suite . It looks like the default are:

  { "config_file": "records.config", "name": "CONFIG
proxy.config.ssl.server.cipher_suite", "value": "STRING

> 2 - What's the proper way to configure this in the different components in
> case we want to move from the defaults?
For TO I think all you need to do is change the ciphers param on the
connection string.
For TR you will need to add a ciphers configuration to the server.xml. More
information here: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
For ATS all you should need to do is update the param I listed above.

> Thanks!
> --
> *Shmulik Asafi*
> ‚Äč

Reply via email to