You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Igor Galić (JIRA)" <ji...@apache.org> on 2013/11/26 22:19:35 UTC

[jira] [Created] (TS-2400) Our default SSL cipher-suite advocates speed over security

Igor Galić created TS-2400:
------------------------------

             Summary: Our default SSL cipher-suite advocates speed over security
                 Key: TS-2400
                 URL: https://issues.apache.org/jira/browse/TS-2400
             Project: Traffic Server
          Issue Type: Bug
          Components: Configuration, SSL
            Reporter: Igor Galić


Our default cipher-suite advocates speed over security:
{code}
RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
{code}
Worse yet, it still has RC4 in there, along with some other bad defaults. RC4 must be eradicated: https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx?Redirected=true

We should by default advocate security, which means, we should advocate Perfect Forward Secrecy, which means we should also advocate OpenSSL >= 1.0.1e 



--
This message was sent by Atlassian JIRA
(v6.1#6144)