You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by ne...@apache.org on 2021/02/19 17:37:40 UTC
[trafficcontrol] branch master updated: Set Traffic Router to only
accept TLSv1.1 and TLSv1.2 (#5547)
This is an automated email from the ASF dual-hosted git repository.
neuman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git
The following commit(s) were added to refs/heads/master by this push:
new 9718699 Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)
9718699 is described below
commit 9718699496098978ad615b20a1ad55dedee777e4
Author: Hank Beatty <hb...@users.noreply.github.com>
AuthorDate: Fri Feb 19 12:37:24 2021 -0500
Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)
The reason I did not turn off TLSv1.1 is because I had some issues getting thing to work correctly with it off. The reason I did not turn on TLSv1.3 is because it is not supported in CentOS 7.
TLSv1 and TLSv1.1 have been deprecated by all the major browsers since March of 2020. We might want to look at logging the negotiated protocol if that hasn't already been done.
---
CHANGELOG.md | 1 +
traffic_router/core/src/main/conf/server.xml | 4 ++--
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 8f7cc0e..a175f30 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -65,6 +65,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
- Pinned external actions used by Documentation Build and TR Unit Tests workflows to commit SHA-1 and the Docker image used by the Weasel workflow to a SHA-256 digest
- Updated Flot libraries to supported versions
- [apache/trafficcontrol](https://github.com/apache/trafficcontrol) is now a Go module
+- Set Traffic Router to only accept TLSv1.1 and TLSv1.2 protocols in server.xml
- Updated Apache Tomcat from 8.5.57 to 8.5.63
- Updated Apache Tomcat Native from 1.2.16 to 1.2.23
diff --git a/traffic_router/core/src/main/conf/server.xml b/traffic_router/core/src/main/conf/server.xml
index 49750fb..ec36cee 100644
--- a/traffic_router/core/src/main/conf/server.xml
+++ b/traffic_router/core/src/main/conf/server.xml
@@ -40,11 +40,11 @@
<Connector port="3333" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
connectionTimeout="10000" mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="ApiPort"/>
<Connector port="3443" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
- scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" connectionTimeout="10000"
+ scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="SecureApiPort" sendReasonPhrase="true"
sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation"> </Connector>
<Connector port="443" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
- scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" connectionTimeout="10000"
+ scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="SecurePort" sendReasonPhrase="true"
sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation">
</Connector>