Am 30.01.2014 17:32, schrieb James Peach: > On Jan 30, 2014, at 8:29 AM, Reindl Harald <[email protected]> wrote: >> >> Am 30.01.2014 17:05, schrieb James Peach: >>> On Jan 30, 2014, at 6:38 AM, Reindl Harald <[email protected]> wrote: >>> >>>> Am 30.01.2014 15:19, schrieb Uri Shachar: >>>>> On Thu, 30 Jan 2014 14:47:10 +0100 Reindl Harald wrote: >>>>>> one remaining issue currently is that DHE/ECDHE seems not to be supported >>>>>> while httpd/openssl with the same environment do >>>>> >>>>> Added in 4.2.0 - Check out https://issues.apache.org/jira/browse/TS-2372 >>>> >>>> cool - thanks! >>> >>> Note that 4.3 only support ECDHE, TS-2417 is still open for other key types >> >> thanks for the information, good to know >> >> however, i am not sure if it should not simply pass >> "proxy.config.ssl.server.cipher_suite" to the underlying >> openssl layer and let it do the whole work > > It does, but that's not all that is needed for DHE to work
OK, good to know i now have configured one website with optional TLS and checked state of play trafficserver-4.1.2 with the ECDHE patch from yesterday https://www.ssllabs.com/ssltest/ ___________________________________________________ Secure Client-Initiated Renegotiation Supported DoS DANGER https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks OCSP stapling No The server does not support Forward Secrecy with the reference browsers ___________________________________________________ CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM ___________________________________________________ order of cipher-suite above ignored - actually bad Cipher Suites (sorted by strength; the server has no preference) TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 128 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) 128 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH 256 bits (eq. 3072 bits RSA) FS 128 TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 112 TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (0xc012) ECDH 256 bits (eq. 3072 bits RSA) FS 112 TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) 256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH 256 bits (eq. 3072 bits RSA) FS 256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH 256 bits (eq. 3072 bits RSA) FS 256 ___________________________________________________ all in all that looks not too bad with the ECDHE patch, but the issues above should be reviewed is there a preferred bugreport where i should add the content of this message?
signature.asc
Description: OpenPGP digital signature
