You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2016/04/11 20:31:25 UTC

[jira] [Updated] (TS-4247) Should no longer allow SSLv2 configuration

     [ https://issues.apache.org/jira/browse/TS-4247?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-4247:
------------------------------
    Priority: Blocker  (was: Major)

> Should no longer allow SSLv2 configuration
> ------------------------------------------
>
>                 Key: TS-4247
>                 URL: https://issues.apache.org/jira/browse/TS-4247
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: Security, SSL
>            Reporter: Dave Thompson
>            Assignee: Dave Thompson
>            Priority: Blocker
>             Fix For: 7.0.0
>
>
> In light of today's DROWN TLS vulnerability (CVE-2016-0800 and CVE-2016-0703 ), we should no longer have an option to allow an admin to configure SSLv2 (whether intentional or not, or just out of ignorance).   The consequences are far too severe.    This is also the only solution for CVE-2016-0800.
> Some details:
> https://drownattack.com/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)