Am 20.10.2014 um 21:50 schrieb James Peach:
On Oct 20, 2014, at 8:49 AM, Reindl Harald <[email protected]> wrote: HTTPD: SSL 2 handshake compatibility Yes TS: SSL 2 handshake compatibility NoWe disabled SSLv2 by default on TS-787, Tue May 17 15:34:41 2011.
but that has nothing to do with "SSL 2 handshake compatibility" i guess https://www.ssllabs.com/ssltest/ compare the results of HTTPD / ATS both with no SSLv2 and SSLv3
can that be the reason "ab -c 100 -n 100000" fails to a ATS? keep in mind that don't mean sslv3 or even sslv2 are enabled!Not really sure about that, but should be easy to test when I get a minute.
thanks!
HTTPD: Heartbeat (extension) Yes TS: Heartbeat (extension) No how does ATS that using the same openssl binaries? "OPENSSL_NO_HEARTBEATS=1" as ENV don't disable it for httpdYou need to set OPENSSL_NO_HEARTBEATS=1 at OpenSSL build time
i am aware of that sadly "OPENSSL_NO_DEFAULT_ZLIB=1" works as env-var for other historical issues
I don't know why we would not be vulnerable to heartbleed with a vulnerable OpenSSL version. I poked around in OpenSSL and mod_ssl for a while and AFAICT heart beats are enabled by default. I didn't see any special knob that would turn it on.
well, i just compared https://www.ssllabs.com/ssltest/ aginst a pure HTTPD server and a ATS server on the same patch level with Fedora 20 and wondered that ATS is listed as "Heartbeat (extension) No" while HTTPD shows a yes
signature.asc
Description: OpenPGP digital signature
