Am 25.04.2016 um 17:55 schrieb Phil Sorber:
On Mon, Apr 25, 2016 at 3:33 AM Reindl Harald
just a notice again before i try to build with other flags
_____________________________________________
https://www.ssllabs.com/ssltest/
docs.trafficserver.apache.org
SSL 2 handshake compatibility Yes
I believe what is going on here is that we use SSLv23_server_method()
which will negotiate the highest version of TLS supported by both sides,
but does so with the SSLv2Hello handshake. This does not mean we
necessarily support SSLv2/3.
www.thelounge.net
SSL 2 handshake compatibility No
It is my understanding that HTTPD matches the server method to only
negotiate the version configured. This means it is using something like
TLSv1_2_server_method() which only supports the TLS1.2 handshake. What
is your HTTPD config?
as strict as the ATS configuration (see below) and so no reason for the current "ab" behavior
you can verify with https://www.ssllabs.com/ssltest/ the following two subdomains:
* secure.thelounge.net (httpd) * www.thelounge.net (trafficserver) _____________________________________ httpd: SSLSessionCacheTimeout 900 SSLStaplingStandardCacheTimeout 86400 SSLStaplingErrorCacheTimeout 300 SSLStaplingReturnResponderErrors Off SSLStaplingFakeTryLater Off SSLProtocol All -SSLv2 -SSLv3 SSLFIPS Off SSLCompression Off SSLInsecureRenegotiation Off SSLSessionTickets Off SSLVerifyClient none SSLHonorCipherOrder OnSSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
_____________________________________ Trafficserver: CONFIG proxy.config.ssl.SSLv2 INT 0 CONFIG proxy.config.ssl.SSLv3 INT 0 CONFIG proxy.config.ssl.TLSv1 INT 1 CONFIG proxy.config.ssl.TLSv1_1 INT 1 CONFIG proxy.config.ssl.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.SSLv2 INT 1 CONFIG proxy.config.ssl.client.SSLv3 INT 1 CONFIG proxy.config.ssl.client.TLSv1 INT 1 CONFIG proxy.config.ssl.client.TLSv1_1 INT 1 CONFIG proxy.config.ssl.client.TLSv1_2 INT 1 CONFIG proxy.config.ssl.client.certification_level INT 0CONFIG proxy.config.ssl.server.multicert.filename STRING ssl_multicert.config
CONFIG proxy.config.ssl.server.cert.path STRING /etc/trafficserver/ssl/CONFIG proxy.config.ssl.server.private_key.path STRING /etc/trafficserver/ssl/
CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM
CONFIG proxy.config.ssl.server.honor_cipher_order INT 1CONFIG proxy.config.ssl.server.dhparams_file STRING /etc/trafficserver/ssl/dhparams.pem
signature.asc
Description: OpenPGP digital signature
