thanks + TLS again -> Re: [ANNOUNCE] Apache Traffic Server 4.2.0 is released!

Thu, 20 Mar 2014 05:38:29 -0700 

thanks - deployed in production

TLS with ECDHE works now without patches
TLS with DHE still not supported

that means a lot of older clients can't connect

in context of DHE support in general that should work like
for httpd because Java6 which may business relevant for
applications "Client does not support DH parameters > 1024 bits"
which also affects older firefox versions in case 3072/4096 bit

so finally add the content of "ecdh_params.pem" to the PEM
file containing server cert, private key, certificate chain
and any client except Java6 works, if Java6 is important
change the 2048 to 1024 on line two
_______________________________________________________________

#!/usr/bin/bash
openssl ecparam -out /etc/pki/tl/ec.pem -name prime256v1
openssl gendh -out /etc/pki/tl/dh.pem -2 2048
cat /etc/pki/tl/ec.pem /etc/pki/tl/dh.pem > /etc/pki/tl/ecdh_params.pem
rm -f /etc/pki/tl/ec.pem
rm -f /etc/pki/tl/dh.pem
chown root:root /etc/pki/tl/*.pem
chmod 400 /etc/pki/tl/*.pem
# secp384r1:  NIST/SECG curve over a 384 bit prime field
# secp521r1:  NIST/SECG curve over a 521 bit prime field
# prime256v1: X9.62/SECG curve over a 256 bit prime field
_______________________________________________________________

Am 20.03.2014 02:05, schrieb Phil Sorber:
>         Apache Traffic Server v4.2.0 Released
> 
> The Apache Software Foundation and the Apache Traffic Server project
> are pleased to announce the release of Apache Traffic Server v4.2.0!
> This is our latest stable release, and is immediately available for
> download at
> 
>         http://trafficserver.apache.org/downloads
> 
> 
> Upgrading from the previous v3.2 release to v4.x should be done with
> care, since the cache is not backwards compatible. This means
> upgrading will cause the cache to be reinitialized. More details on
> upgrading is available on the Wiki:
> 
>         https://cwiki.apache.org/confluence/display/TS/Upgrading+to+v4.0
> 
> Upgrading from 4.1.x should be seamless.
> There's a number of new features in this bugfix release.Details are available 
> at
> 
>         https://cwiki.apache.org/confluence/display/TS/What%27s+new+in+v4.2.x
> 
> 
> Finally, this release marks a third cycle in the new release process, 
> documented here:
> 
>         https://cwiki.apache.org/confluence/display/TS/New+Release+Processes
> 
> 4.2.x will be the last minor version in the 4.x release and is a Long Term 
> Support (LTS) release.
> 
> Sincerely,
> 
> -- The Apache Traffic Server community

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to