You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Leif Hedstrom <zw...@apache.org> on 2014/10/15 01:13:06 UTC
POODLE and ATS configs
Now that the POODLE is out of the bag, I think we should consider changing this for v5.1.1:
{RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
I believe this does have a drawback: certain browsers / UAs on some OSes might not have TLS support. I think (but not 100% certain) that IE on Windows/XP is one such case?
Thoughts?
— Leif
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Re: POODLE and ATS configs
Posted by Leif Hedstrom <zw...@apache.org>.
On Oct 14, 2014, at 5:25 PM, Jason J. W. Williams <ja...@gmail.com> wrote:
> We've been running our sites with SSLv3 off for sometime, since we
> only support IE7 and newer in our services.
>
> Disabling SSLv3 hurts folks who need to support IE6 clients primarily.
You still have the option to enable it, of course:
CONFIG proxy.config.ssl.SSLv3 INT 1
— Leif
>
> -J
>
> On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley <sb...@yahoo-inc.com> wrote:
>> Is there an easy way to quantify the impact before turning SSLv3 off? Maybe
>> by looking at logs?
>>
>>
>> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <br...@apache.org>
>> wrote:
>>
>>
>> cc: users@
>>
>> For users who want to immediately disable SSLv3 you should only need to
>> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
>> traffic_server.
>>
>> Brian
>>
>> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
>>
>> Now that the POODLE is out of the bag, I think we should consider changing
>> this for v5.1.1:
>>
>> {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
>> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>>
>>
>> I believe this does have a drawback: certain browsers / UAs on some OSes
>> might not have TLS support. I think (but not 100% certain) that IE on
>> Windows/XP is one such case?
>>
>> Thoughts?
>>
>> — Leif
>>
>> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>>
>>
>>
>>
Re: POODLE and ATS configs
Posted by Reindl Harald <h....@thelounge.net>.
Am 15.10.2014 um 01:25 schrieb Jason J. W. Williams:
> We've been running our sites with SSLv3 off for sometime, since we
> only support IE7 and newer in our services.
>
> Disabling SSLv3 hurts folks who need to support IE6 clients primarily.
if they really do need MSIE6 it's one checkbox in the settings to enable
TLS which i do at least since 2003 on every windows setup hence i was
shocked to get a complaint about disable ssl3 while all my test VM's
worked just fine
that was before EOL of WinXP
these days i would respond with "get rid of it or RTFM and enable TLS"
> On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley <sb...@yahoo-inc.com> wrote:
>> Is there an easy way to quantify the impact before turning SSLv3 off? Maybe
>> by looking at logs?
>>
>>
>> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <br...@apache.org>
>> wrote:
>>
>>
>> cc: users@
>>
>> For users who want to immediately disable SSLv3 you should only need to
>> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
>> traffic_server.
>>
>> Brian
>>
>> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
>>
>> Now that the POODLE is out of the bag, I think we should consider changing
>> this for v5.1.1:
>>
>> {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
>> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>>
>>
>> I believe this does have a drawback: certain browsers / UAs on some OSes
>> might not have TLS support. I think (but not 100% certain) that IE on
>> Windows/XP is one such case?
>>
>> Thoughts?
>>
>> — Leif
>>
>> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Re: POODLE and ATS configs
Posted by Leif Hedstrom <zw...@apache.org>.
On Oct 14, 2014, at 5:25 PM, Jason J. W. Williams <ja...@gmail.com> wrote:
> We've been running our sites with SSLv3 off for sometime, since we
> only support IE7 and newer in our services.
>
> Disabling SSLv3 hurts folks who need to support IE6 clients primarily.
You still have the option to enable it, of course:
CONFIG proxy.config.ssl.SSLv3 INT 1
— Leif
>
> -J
>
> On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley <sb...@yahoo-inc.com> wrote:
>> Is there an easy way to quantify the impact before turning SSLv3 off? Maybe
>> by looking at logs?
>>
>>
>> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <br...@apache.org>
>> wrote:
>>
>>
>> cc: users@
>>
>> For users who want to immediately disable SSLv3 you should only need to
>> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
>> traffic_server.
>>
>> Brian
>>
>> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
>>
>> Now that the POODLE is out of the bag, I think we should consider changing
>> this for v5.1.1:
>>
>> {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
>> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>>
>>
>> I believe this does have a drawback: certain browsers / UAs on some OSes
>> might not have TLS support. I think (but not 100% certain) that IE on
>> Windows/XP is one such case?
>>
>> Thoughts?
>>
>> — Leif
>>
>> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>>
>>
>>
>>
Re: POODLE and ATS configs
Posted by "Jason J. W. Williams" <ja...@gmail.com>.
We've been running our sites with SSLv3 off for sometime, since we
only support IE7 and newer in our services.
Disabling SSLv3 hurts folks who need to support IE6 clients primarily.
-J
On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley <sb...@yahoo-inc.com> wrote:
> Is there an easy way to quantify the impact before turning SSLv3 off? Maybe
> by looking at logs?
>
>
> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <br...@apache.org>
> wrote:
>
>
> cc: users@
>
> For users who want to immediately disable SSLv3 you should only need to
> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
> traffic_server.
>
> Brian
>
> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
>
> Now that the POODLE is out of the bag, I think we should consider changing
> this for v5.1.1:
>
> {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>
>
> I believe this does have a drawback: certain browsers / UAs on some OSes
> might not have TLS support. I think (but not 100% certain) that IE on
> Windows/XP is one such case?
>
> Thoughts?
>
> — Leif
>
> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>
>
>
>
Re: POODLE and ATS configs
Posted by "Jason J. W. Williams" <ja...@gmail.com>.
We've been running our sites with SSLv3 off for sometime, since we
only support IE7 and newer in our services.
Disabling SSLv3 hurts folks who need to support IE6 clients primarily.
-J
On Tue, Oct 14, 2014 at 4:23 PM, Scott Beardsley <sb...@yahoo-inc.com> wrote:
> Is there an easy way to quantify the impact before turning SSLv3 off? Maybe
> by looking at logs?
>
>
> On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <br...@apache.org>
> wrote:
>
>
> cc: users@
>
> For users who want to immediately disable SSLv3 you should only need to
> change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
> traffic_server.
>
> Brian
>
> On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
>
> Now that the POODLE is out of the bag, I think we should consider changing
> this for v5.1.1:
>
> {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>
>
> I believe this does have a drawback: certain browsers / UAs on some OSes
> might not have TLS support. I think (but not 100% certain) that IE on
> Windows/XP is one such case?
>
> Thoughts?
>
> — Leif
>
> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
>
>
>
>
Re: POODLE and ATS configs
Posted by Scott Beardsley <sb...@yahoo-inc.com>.
Is there an easy way to quantify the impact before turning SSLv3 off? Maybe by looking at logs?
On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <br...@apache.org> wrote:
cc: users@
For users who want to immediately disable SSLv3 you should only need to change proxy.config.ssl.SSLv3 in records.config to 0 and bounce traffic_server.
Brian
On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
Now that the POODLE is out of the bag, I think we should consider changing this for v5.1.1:
{RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
I believe this does have a drawback: certain browsers / UAs on some OSes might not have TLS support. I think (but not 100% certain) that IE on Windows/XP is one such case?
Thoughts?
— Leif
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Re: POODLE and ATS configs
Posted by Scott Beardsley <sb...@yahoo-inc.com>.
Is there an easy way to quantify the impact before turning SSLv3 off? Maybe by looking at logs?
On Tuesday, October 14, 2014 4:18 PM, Brian Geffon <br...@apache.org> wrote:
cc: users@
For users who want to immediately disable SSLv3 you should only need to change proxy.config.ssl.SSLv3 in records.config to 0 and bounce traffic_server.
Brian
On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
Now that the POODLE is out of the bag, I think we should consider changing this for v5.1.1:
{RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS, RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
I believe this does have a drawback: certain browsers / UAs on some OSes might not have TLS support. I think (but not 100% certain) that IE on Windows/XP is one such case?
Thoughts?
— Leif
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Re: POODLE and ATS configs
Posted by Brian Geffon <br...@apache.org>.
cc: users@
For users who want to immediately disable SSLv3 you should only need to
change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
traffic_server.
Brian
On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
> Now that the POODLE is out of the bag, I think we should consider changing
> this for v5.1.1:
>
> {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>
>
> I believe this does have a drawback: certain browsers / UAs on some OSes
> might not have TLS support. I think (but not 100% certain) that IE on
> Windows/XP is one such case?
>
> Thoughts?
>
> — Leif
>
>
> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
Re: POODLE and ATS configs
Posted by Brian Geffon <br...@apache.org>.
cc: users@
For users who want to immediately disable SSLv3 you should only need to
change proxy.config.ssl.SSLv3 in records.config to 0 and bounce
traffic_server.
Brian
On Tue, Oct 14, 2014 at 4:13 PM, Leif Hedstrom <zw...@apache.org> wrote:
> Now that the POODLE is out of the bag, I think we should consider changing
> this for v5.1.1:
>
> {RECT_CONFIG, "proxy.config.ssl.SSLv3", RECD_INT, "1", RECU_RESTART_TS,
> RR_NULL, RECC_INT, "[0-1]", RECA_NULL}
>
>
> I believe this does have a drawback: certain browsers / UAs on some OSes
> might not have TLS support. I think (but not 100% certain) that IE on
> Windows/XP is one such case?
>
> Thoughts?
>
> — Leif
>
>
> http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html