You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2014/05/22 00:43:39 UTC
[jira] [Commented] (TS-2400) Our default SSL cipher-suite advocates
speed over security
[ https://issues.apache.org/jira/browse/TS-2400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14005341#comment-14005341 ]
Leif Hedstrom commented on TS-2400:
-----------------------------------
Moving to Bryan. From the discussions, we want this for v5.0.0:
* Change default cipher suite
* Turn on honor_cipher_order by default
> Our default SSL cipher-suite advocates speed over security
> ----------------------------------------------------------
>
> Key: TS-2400
> URL: https://issues.apache.org/jira/browse/TS-2400
> Project: Traffic Server
> Issue Type: Bug
> Components: Configuration, SSL
> Reporter: Igor Galić
> Assignee: Bryan Call
> Fix For: 5.0.0
>
>
> Our default cipher-suite advocates speed over security:
> {code}
> RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
> {code}
> Worse yet, it still has RC4 in there, along with some other bad defaults. RC4 must be eradicated: https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx?Redirected=true
> We should by default advocate security, which means, we should advocate Perfect Forward Secrecy, which means we should also advocate OpenSSL >= 1.0.1e
--
This message was sent by Atlassian JIRA
(v6.2#6252)