You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/02/19 04:51:53 UTC

[GitHub] [trafficcontrol] hbeatty opened a new pull request #5547: Set Traffic Router to only accept TLSv1.1 and TLSv1.2

hbeatty opened a new pull request #5547:
URL: https://github.com/apache/trafficcontrol/pull/5547


   ## What does this PR (Pull Request) do?
   
   The reason I did not turn off TLSv1.1 is that I had some issues getting things to work correctly with it off. The reason I did not turn on TLSv1.3 is that it is not supported in CentOS 7.
   
   TLSv1 and TLSv1.1 have been deprecated by all the major browsers since March of 2020. We might want to look at logging the negotiated protocol if that hasn't already been done.
   
   - [x] This PR is not related to any Issue 
   
   
   ## Which Traffic Control components are affected by this PR?
   
   - Traffic Router
   
   ## What is the best way to verify this PR?
   
   The best way I know to test it is to run this prior to and after changing the server.xml.
   
   `docker run -it drwetter/testssl.sh:latest -p <some_traffic_router>`
   
   Sample output:
   
   ```
   Testing protocols via sockets except NPN+ALPN 
   
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      not offered
    TLS 1.1    offered (deprecated)
    TLS 1.2    offered (OK)
    TLS 1.3    not offered and downgraded to a weaker protocol
    NPN/SPDY   not offered
    ALPN/HTTP2 not offered
   ```
   
   ## If this is a bug fix, what versions of Traffic Control are affected?
   not a bug fix.
   
   ## The following criteria are ALL met by this PR
   
   - [x] This PR includes tests OR I have explained why tests are unnecessary
   - [x] This PR includes documentation OR I have explained why documentation is unnecessary
   - [x] This PR includes an update to CHANGELOG.md OR such an update is not necessary
   - [x] This PR includes any and all required license headers
   - [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://www.apache.org/security/) for details)
   
   
   <!--
   Licensed to the Apache Software Foundation (ASF) under one
   or more contributor license agreements.  See the NOTICE file
   distributed with this work for additional information
   regarding copyright ownership.  The ASF licenses this file
   to you under the Apache License, Version 2.0 (the
   "License"); you may not use this file except in compliance
   with the License.  You may obtain a copy of the License at
   
       http://www.apache.org/licenses/LICENSE-2.0
   
   Unless required by applicable law or agreed to in writing,
   software distributed under the License is distributed on an
   "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
   KIND, either express or implied.  See the License for the
   specific language governing permissions and limitations
   under the License.
   -->
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] dneuman64 merged pull request #5547: Set Traffic Router to only accept TLSv1.1 and TLSv1.2

Posted by GitBox <gi...@apache.org>.

dneuman64 merged pull request #5547:
URL: https://github.com/apache/trafficcontrol/pull/5547


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] dneuman64 commented on pull request #5547: Set Traffic Router to only accept TLSv1.1 and TLSv1.2

Posted by GitBox <gi...@apache.org>.

dneuman64 commented on pull request #5547:
URL: https://github.com/apache/trafficcontrol/pull/5547#issuecomment-782196209


   👍 LGTM, will wait for checks to finish before merging


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org