You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Leif Hedstrom <zw...@apache.org> on 2019/06/04 22:14:06 UTC
[PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Hi all,
in the spirit of
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
I’d like to propose that we change the defaults for our settings, to turn these two protocols off by default:
proxy.config.ssl.TLSv1=0
proxy.config.ssl.TLSv1_1=0
proxy.config.ssl.client.TLSv1=0
proxy.config.ssl.client.TLSv1_1=0
The code / features will still be there, and can either be turned on globally, or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.
Any concerns / objections?
— Leif
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by "Steven R. Feltner" <sf...@godaddy.com>.
+1
- These are old protocols that just need to go away. They can always be turned back on by the administrator if there is a need for them in a particular installation. It should be well noted in the CHANGES Log and in the "Upgrading to 9.0" document for the release that this is a change to the default configuration from previous version.
On 6/4/19, 6:14 PM, "Leif Hedstrom" <zw...@apache.org> wrote:
Hi all,
in the spirit of
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
I’d like to propose that we change the defaults for our settings, to turn these two protocols off by default:
proxy.config.ssl.TLSv1=0
proxy.config.ssl.TLSv1_1=0
proxy.config.ssl.client.TLSv1=0
proxy.config.ssl.client.TLSv1_1=0
The code / features will still be there, and can either be turned on globally, or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.
Any concerns / objections?
— Leif
Re: Stop spamming the list you morons (was Re: Unsubscribe)
Posted by Jered Floyd <je...@convivian.com>.
Sorry; I'm on lots of mailing lists and see about 20-30 of these a week... sometimes I worry about the future of humanity. :-) Perhaps enabling an unsubscribe footer in the MLM would be a more constructive approach.
--Jered
----- On Aug 22, 2019, at 7:27 PM, James Peach <jp...@apache.org> wrote:
> Jered,
> Please tone it down. Mistakes happen and not everyone is familiar with the same
> set of systems. A couple of unnecessary emails is not the end of the world :)
> J
>> On Aug 23, 2019, at 8:54 AM, Jered Floyd < [ mailto:jered@convivian.com |
>> jered@convivian.com ] > wrote:
>> FFS, you people are allegedly system administrators! Have you never used mailing
>> lists in your obviously short and miserable lives?
>> There's a fucking header with the unsubscribe data. Mail [
>> mailto:users-unsubscribe@trafficserver.apache.org |
>> users-unsubscribe@trafficserver.apache.org ] if you want to unsubscribe, and
>> never darken our doorsteps again. How did you even manage to subscribe in the
>> first place? Did you stumble aimlessly here?
>> --Jered
>> ----- On Aug 22, 2019, at 6:42 PM, < [ mailto:info@rennison.com.au |
>> info@rennison.com.au ] > wrote:
>>> unsubscribe
Re: Stop spamming the list you morons (was Re: Unsubscribe)
Posted by James Peach <jp...@apache.org>.
> On Aug 23, 2019, at 3:37 PM, info@rennison.com.au wrote:
>
> Dear all,
> I understand your frustration, but please understand mine.
>
> I never signed to this email group, as I have nothing to do with anything discussed on it. Someone added my email for reasons unknown three years ago and I have politely requested removal multiple times since then.
>
> In the meantime, I have had thousands of emails being sent to me, including details of conferences and other information I do not need, nor do I want.
>
> Today's request was another attempt in any form to get off this list.
>
> If anyone can delete my email from this mailing list it would be greatly appreciated.
You can unsubscribe by sending email to users-unsubscribe@trafficserver.apache.org
https://apache.org/foundation/mailinglists.html#request-addresses-for-unsubscribing
J
RE: Stop spamming the list you morons (was Re: Unsubscribe)
Posted by in...@rennison.com.au.
Dear all,
I understand your frustration, but please understand mine.
I never signed to this email group, as I have nothing to do with anything
discussed on it. Someone added my email for reasons unknown three years ago
and I have politely requested removal multiple times since then.
In the meantime, I have had thousands of emails being sent to me, including
details of conferences and other information I do not need, nor do I want.
Today's request was another attempt in any form to get off this list.
If anyone can delete my email from this mailing list it would be greatly
appreciated.
Regards.
From: James Peach <jp...@apache.org>
Sent: Friday, 23 August 2019 9:27 AM
To: users@trafficserver.apache.org
Subject: Re: Stop spamming the list you morons (was Re: Unsubscribe)
Jered,
Please tone it down. Mistakes happen and not everyone is familiar with the
same set of systems. A couple of unnecessary emails is not the end of the
world :)
J
On Aug 23, 2019, at 8:54 AM, Jered Floyd <jered@convivian.com
<ma...@convivian.com> > wrote:
FFS, you people are allegedly system administrators! Have you never used
mailing lists in your obviously short and miserable lives?
There's a fucking header with the unsubscribe data. Mail
<ma...@trafficserver.apache.org>
users-unsubscribe@trafficserver.apache.org if you want to unsubscribe, and
never darken our doorsteps again. How did you even manage to subscribe in
the first place? Did you stumble aimlessly here?
--Jered
----- On Aug 22, 2019, at 6:42 PM, < <ma...@rennison.com.au>
info@rennison.com.au> wrote:
unsubscribe
Re: Stop spamming the list you morons (was Re: Unsubscribe)
Posted by James Peach <jp...@apache.org>.
Jered,
Please tone it down. Mistakes happen and not everyone is familiar with the same set of systems. A couple of unnecessary emails is not the end of the world :)
J
> On Aug 23, 2019, at 8:54 AM, Jered Floyd <je...@convivian.com> wrote:
>
>
> FFS, you people are allegedly system administrators! Have you never used mailing lists in your obviously short and miserable lives?
>
> There's a fucking header with the unsubscribe data. Mail users-unsubscribe@trafficserver.apache.org <ma...@trafficserver.apache.org> if you want to unsubscribe, and never darken our doorsteps again. How did you even manage to subscribe in the first place? Did you stumble aimlessly here?
>
> --Jered
>
> ----- On Aug 22, 2019, at 6:42 PM, <info@rennison.com.au <ma...@rennison.com.au>> wrote:
> unsubscribe
Stop spamming the list you morons (was Re: Unsubscribe)
Posted by Jered Floyd <je...@convivian.com>.
FFS, you people are allegedly system administrators! Have you never used mailing lists in your obviously short and miserable lives?
There's a fucking header with the unsubscribe data. Mail [ mailto:users-unsubscribe@trafficserver.apache.org | users-unsubscribe@trafficserver.apache.org ] if you want to unsubscribe, and never darken our doorsteps again. How did you even manage to subscribe in the first place? Did you stumble aimlessly here?
--Jered
----- On Aug 22, 2019, at 6:42 PM, <in...@rennison.com.au> wrote:
> unsubscribe
RE: Unsubscribe
Posted by in...@rennison.com.au.
unsubscribe
Re: Unsubscribe
Posted by Andre Lohmann <lo...@gmail.com>.
Unsubscribe
Jeffrey Turner <je...@me.com> schrieb am Di. 20. Aug. 2019 um
23:54:
> Unsubscribe
>
> --
Andre Lohmann
*smartformer UG **(haftungsbeschränkt)*
Am Kaiserkai 69
20457 Hamburg - Hafen City
Mob: +49 (0) 152 54 21 71 05
Fon: +49 (40) 80 00 84 554
Fax: +49 (40) 80 00 84 900
Mail: al@smartformer.de
Skype: sial0884
Sitz und Registergericht der UG:
Hamburg HRB 129395
UST.-ID DE291760506
Geschäftsführer: Andre Lohmann
Büro Kiel:
smartformer UG
Heikendorferweg 57
24149 Kiel
LinkedIn: http://de.linkedin.com/pub/andre-lohmann/26/a60/a92
Xing: http://www.xing.com/profile/Andre_Lohmann
GitHub: https://github.com/andrelohmann
Unsubscribe
Posted by Jeffrey Turner <je...@me.com>.
Unsubscribe
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by Leif Hedstrom <zw...@apache.org>.
> On Jun 4, 2019, at 18:15, Masaori Koshiba <ma...@apache.org> wrote:
>
> +1
>
> OpenSSL support TLSv1.2 from v1.0.1, and our minimum requirements of it is v1.0.2. from v9.0.0. There're no problems.
Well the thing to watch out for is if you have clients which don’t support v1.2 or later :).
I’ll make a PR for this momentarily.
Cheers,
— Leif
>
> - Masaori
>
>> On Wed, Jun 5, 2019 at 8:19 AM Patrick O'Brien <pa...@tetrisblocks.net> wrote:
>> +1
>>
>>
>>> On Tue, Jun 4, 2019 at 4:02 PM Sudheer Vinukonda <su...@yahoo.com> wrote:
>>> +1
>>>
>>> We may need to also review the default settings for {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and consistent with turning off TLSv1.1 and TLSv1.0?
>>>
>>> Thanks,
>>>
>>> Sudheer
>>>
>>> On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org> wrote:
>>>
>>>
>>> Hi all,
>>>
>>> in the spirit of
>>>
>>> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
>>>
>>>
>>> I’d like to propose that we change the defaults for our settings, to turn these two protocols off by default:
>>>
>>> proxy.config.ssl.TLSv1=0
>>> proxy.config.ssl.TLSv1_1=0
>>> proxy.config.ssl.client.TLSv1=0
>>> proxy.config.ssl.client.TLSv1_1=0
>>>
>>>
>>> The code / features will still be there, and can either be turned on globally, or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.
>>>
>>> Any concerns / objections?
>>>
>>> — Leif
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by Leif Hedstrom <zw...@apache.org>.
> On Jun 4, 2019, at 18:15, Masaori Koshiba <ma...@apache.org> wrote:
>
> +1
>
> OpenSSL support TLSv1.2 from v1.0.1, and our minimum requirements of it is v1.0.2. from v9.0.0. There're no problems.
Well the thing to watch out for is if you have clients which don’t support v1.2 or later :).
I’ll make a PR for this momentarily.
Cheers,
— Leif
>
> - Masaori
>
>> On Wed, Jun 5, 2019 at 8:19 AM Patrick O'Brien <pa...@tetrisblocks.net> wrote:
>> +1
>>
>>
>>> On Tue, Jun 4, 2019 at 4:02 PM Sudheer Vinukonda <su...@yahoo.com> wrote:
>>> +1
>>>
>>> We may need to also review the default settings for {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and consistent with turning off TLSv1.1 and TLSv1.0?
>>>
>>> Thanks,
>>>
>>> Sudheer
>>>
>>> On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org> wrote:
>>>
>>>
>>> Hi all,
>>>
>>> in the spirit of
>>>
>>> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
>>>
>>>
>>> I’d like to propose that we change the defaults for our settings, to turn these two protocols off by default:
>>>
>>> proxy.config.ssl.TLSv1=0
>>> proxy.config.ssl.TLSv1_1=0
>>> proxy.config.ssl.client.TLSv1=0
>>> proxy.config.ssl.client.TLSv1_1=0
>>>
>>>
>>> The code / features will still be there, and can either be turned on globally, or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.
>>>
>>> Any concerns / objections?
>>>
>>> — Leif
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by Masaori Koshiba <ma...@apache.org>.
+1
OpenSSL support TLSv1.2 from v1.0.1, and our minimum requirements of it is
v1.0.2. from v9.0.0. There're no problems.
- Masaori
On Wed, Jun 5, 2019 at 8:19 AM Patrick O'Brien <
patrickobrien@tetrisblocks.net> wrote:
> +1
>
>
> On Tue, Jun 4, 2019 at 4:02 PM Sudheer Vinukonda <
> sudheervinukonda@yahoo.com> wrote:
>
>> +1
>>
>> We may need to also review the default settings for
>> {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and
>> consistent with turning off TLSv1.1 and TLSv1.0?
>>
>> Thanks,
>>
>> Sudheer
>>
>> On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org>
>> wrote:
>>
>>
>> Hi all,
>>
>> in the spirit of
>>
>> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
>>
>>
>> I’d like to propose that we change the defaults for our settings, to turn
>> these two protocols off by default:
>>
>> proxy.config.ssl.TLSv1=0
>> proxy.config.ssl.TLSv1_1=0
>> proxy.config.ssl.client.TLSv1=0
>> proxy.config.ssl.client.TLSv1_1=0
>>
>>
>> The code / features will still be there, and can either be turned on
>> globally, or (better IMO) turned on per SNI in ssl_server_name.yaml /
>> sni.yaml.
>>
>> Any concerns / objections?
>>
>> — Leif
>>
>
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by Masaori Koshiba <ma...@apache.org>.
+1
OpenSSL support TLSv1.2 from v1.0.1, and our minimum requirements of it is
v1.0.2. from v9.0.0. There're no problems.
- Masaori
On Wed, Jun 5, 2019 at 8:19 AM Patrick O'Brien <
patrickobrien@tetrisblocks.net> wrote:
> +1
>
>
> On Tue, Jun 4, 2019 at 4:02 PM Sudheer Vinukonda <
> sudheervinukonda@yahoo.com> wrote:
>
>> +1
>>
>> We may need to also review the default settings for
>> {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and
>> consistent with turning off TLSv1.1 and TLSv1.0?
>>
>> Thanks,
>>
>> Sudheer
>>
>> On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org>
>> wrote:
>>
>>
>> Hi all,
>>
>> in the spirit of
>>
>> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
>>
>>
>> I’d like to propose that we change the defaults for our settings, to turn
>> these two protocols off by default:
>>
>> proxy.config.ssl.TLSv1=0
>> proxy.config.ssl.TLSv1_1=0
>> proxy.config.ssl.client.TLSv1=0
>> proxy.config.ssl.client.TLSv1_1=0
>>
>>
>> The code / features will still be there, and can either be turned on
>> globally, or (better IMO) turned on per SNI in ssl_server_name.yaml /
>> sni.yaml.
>>
>> Any concerns / objections?
>>
>> — Leif
>>
>
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by Patrick O'Brien <pa...@tetrisblocks.net>.
+1
On Tue, Jun 4, 2019 at 4:02 PM Sudheer Vinukonda <su...@yahoo.com>
wrote:
> +1
>
> We may need to also review the default settings for
> {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and
> consistent with turning off TLSv1.1 and TLSv1.0?
>
> Thanks,
>
> Sudheer
>
> On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org>
> wrote:
>
>
> Hi all,
>
> in the spirit of
>
> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
>
>
> I’d like to propose that we change the defaults for our settings, to turn
> these two protocols off by default:
>
> proxy.config.ssl.TLSv1=0
> proxy.config.ssl.TLSv1_1=0
> proxy.config.ssl.client.TLSv1=0
> proxy.config.ssl.client.TLSv1_1=0
>
>
> The code / features will still be there, and can either be turned on
> globally, or (better IMO) turned on per SNI in ssl_server_name.yaml /
> sni.yaml.
>
> Any concerns / objections?
>
> — Leif
>
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by Patrick O'Brien <pa...@tetrisblocks.net>.
+1
On Tue, Jun 4, 2019 at 4:02 PM Sudheer Vinukonda <su...@yahoo.com>
wrote:
> +1
>
> We may need to also review the default settings for
> {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and
> consistent with turning off TLSv1.1 and TLSv1.0?
>
> Thanks,
>
> Sudheer
>
> On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org>
> wrote:
>
>
> Hi all,
>
> in the spirit of
>
> https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
>
>
> I’d like to propose that we change the defaults for our settings, to turn
> these two protocols off by default:
>
> proxy.config.ssl.TLSv1=0
> proxy.config.ssl.TLSv1_1=0
> proxy.config.ssl.client.TLSv1=0
> proxy.config.ssl.client.TLSv1_1=0
>
>
> The code / features will still be there, and can either be turned on
> globally, or (better IMO) turned on per SNI in ssl_server_name.yaml /
> sni.yaml.
>
> Any concerns / objections?
>
> — Leif
>
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by Sudheer Vinukonda <su...@yahoo.com>.
+1
We may need to also review the default settings for {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and consistent with turning off TLSv1.1 and TLSv1.0?
Thanks,
Sudheer
On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org> wrote:
Hi all,
in the spirit of
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
I’d like to propose that we change the defaults for our settings, to turn these two protocols off by default:
proxy.config.ssl.TLSv1=0
proxy.config.ssl.TLSv1_1=0
proxy.config.ssl.client.TLSv1=0
proxy.config.ssl.client.TLSv1_1=0
The code / features will still be there, and can either be turned on globally, or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.
Any concerns / objections?
— Leif
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by Sudheer Vinukonda <su...@yahoo.com.INVALID>.
+1
We may need to also review the default settings for {{proxy.config.ssl.server.cipher_suite}} to make sure it's up-to-date and consistent with turning off TLSv1.1 and TLSv1.0?
Thanks,
Sudheer
On Tuesday, June 4, 2019, 3:14:09 PM PDT, Leif Hedstrom <zw...@apache.org> wrote:
Hi all,
in the spirit of
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
I’d like to propose that we change the defaults for our settings, to turn these two protocols off by default:
proxy.config.ssl.TLSv1=0
proxy.config.ssl.TLSv1_1=0
proxy.config.ssl.client.TLSv1=0
proxy.config.ssl.client.TLSv1_1=0
The code / features will still be there, and can either be turned on globally, or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.
Any concerns / objections?
— Leif
Re: [PROPOSAL] Turn off TLS v1.0 and v1.1 by default for ATS v9.00
Posted by "Steven R. Feltner" <sf...@godaddy.com>.
+1
- These are old protocols that just need to go away. They can always be turned back on by the administrator if there is a need for them in a particular installation. It should be well noted in the CHANGES Log and in the "Upgrading to 9.0" document for the release that this is a change to the default configuration from previous version.
On 6/4/19, 6:14 PM, "Leif Hedstrom" <zw...@apache.org> wrote:
Hi all,
in the spirit of
https://tools.ietf.org/html/draft-ietf-tls-oldversions-deprecate-04
I’d like to propose that we change the defaults for our settings, to turn these two protocols off by default:
proxy.config.ssl.TLSv1=0
proxy.config.ssl.TLSv1_1=0
proxy.config.ssl.client.TLSv1=0
proxy.config.ssl.client.TLSv1_1=0
The code / features will still be there, and can either be turned on globally, or (better IMO) turned on per SNI in ssl_server_name.yaml / sni.yaml.
Any concerns / objections?
— Leif