You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficcontrol.apache.org by GitBox <gi...@apache.org> on 2021/02/19 22:37:21 UTC

[GitHub] [trafficcontrol] rawlinp opened a new pull request #5550: TR: fix server.xml protocols list to use '+' instead of ','

rawlinp opened a new pull request #5550:
URL: https://github.com/apache/trafficcontrol/pull/5550


   ## What does this PR (Pull Request) do?
   Follow-up to https://github.com/apache/trafficcontrol/pull/5547: TR seems to support commas but prints the following warning when using them:
   ```
     The protocol [TLSv1.2] was added to the list of protocols on the
     SSLHostConfig named [example.org]. Check if a +/- prefix is missing.
   ```
   Also, TR ignores TLSv1.3 being in the list if the backend doesn't support it, so it is safe to include by default. On systems that don't support it, the following warning is printed in the tomcat logs:
   ```
   org.apache.tomcat.util.net.SSLUtilBase.getEnabled Some of the specified [protocols] are not supported by the SSL engine and have been skipped: [[TLSv1.3]]
   ```
   
   For reference: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html#SSL_Support_-_SSLHostConfig
   
   ## Which Traffic Control components are affected by this PR?
   - Traffic Router
   
   ## What is the best way to verify this PR?
   ```
   docker run --rm -it drwetter/testssl.sh:latest -p <some_traffic_router>
   ```
   Sample output:
   ```
     Testing protocols via sockets except NPN+ALPN
   
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      not offered
    TLS 1.1    offered (deprecated)
    TLS 1.2    offered (OK)
    TLS 1.3    not offered and downgraded to a weaker protocol
    NPN/SPDY   not offered
    ALPN/HTTP2 not offered
   ```
   
   ## The following criteria are ALL met by this PR
   
   - [x] default config change, tests unnecessary
   - [x] default config change, docs unnecessary
   - [x] This PR includes an update to CHANGELOG.md
   - [x] This PR includes any and all required license headers
   - [x] This PR **DOES NOT FIX A SERIOUS SECURITY VULNERABILITY** (see [the Apache Software Foundation's security guidelines](https://www.apache.org/security/) for details)
   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] zrhoffman commented on a change in pull request #5550: TR: fix server.xml protocols list to use '+' instead of ','

Posted by GitBox <gi...@apache.org>.

zrhoffman commented on a change in pull request #5550:
URL: https://github.com/apache/trafficcontrol/pull/5550#discussion_r579533753



##########
File path: traffic_router/core/src/main/conf/server.xml
##########
@@ -40,11 +40,11 @@
 		<Connector port="3333" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
 				   connectionTimeout="10000" mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="ApiPort"/>
 		<Connector port="3443" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
-				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
+				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="+TLSv1.1+TLSv1.2+TLSv1.3" connectionTimeout="10000"
 				   mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="SecureApiPort" sendReasonPhrase="true"
 				   sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation"> </Connector>
 		<Connector port="443" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
-				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
+				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="+TLSv1.1+TLSv1.2+TLSv1.3" connectionTimeout="10000"

Review comment:
       Having commas there like `+TLSv1.1,+TLSv1.2,+TLSv1.3` or `+TLSv1.1,+TLSv1.2,+TLSv1.3,` would still help people who don't know at a glance which SSL protocol version in the list `+` refers to.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] zrhoffman merged pull request #5550: TR: fix server.xml protocols list to use '+' instead of ','

Posted by GitBox <gi...@apache.org>.

zrhoffman merged pull request #5550:
URL: https://github.com/apache/trafficcontrol/pull/5550


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [trafficcontrol] rawlinp commented on a change in pull request #5550: TR: fix server.xml protocols list to use '+' instead of ','

Posted by GitBox <gi...@apache.org>.

rawlinp commented on a change in pull request #5550:
URL: https://github.com/apache/trafficcontrol/pull/5550#discussion_r579537709



##########
File path: traffic_router/core/src/main/conf/server.xml
##########
@@ -40,11 +40,11 @@
 		<Connector port="3333" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
 				   connectionTimeout="10000" mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="ApiPort"/>
 		<Connector port="3443" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
-				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
+				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="+TLSv1.1+TLSv1.2+TLSv1.3" connectionTimeout="10000"
 				   mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="SecureApiPort" sendReasonPhrase="true"
 				   sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation"> </Connector>
 		<Connector port="443" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
-				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
+				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="+TLSv1.1+TLSv1.2+TLSv1.3" connectionTimeout="10000"

Review comment:
       Indeed, that does appear to work the same too. Fixed.




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org