You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@trafficcontrol.apache.org by oc...@apache.org on 2021/02/19 22:25:27 UTC

[trafficcontrol] branch 5.1.x updated: Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)

This is an automated email from the ASF dual-hosted git repository.

ocket8888 pushed a commit to branch 5.1.x
in repository https://gitbox.apache.org/repos/asf/trafficcontrol.git


The following commit(s) were added to refs/heads/5.1.x by this push:
     new 3210a39  Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)
3210a39 is described below

commit 3210a3903d493c23306c725d1d95c84fbbbcbc7f
Author: Hank Beatty <hb...@users.noreply.github.com>
AuthorDate: Fri Feb 19 12:37:24 2021 -0500

    Set Traffic Router to only accept TLSv1.1 and TLSv1.2 (#5547)
    
    The reason I did not turn off TLSv1.1 is because I had some issues getting thing to work correctly with it off. The reason I did not turn on TLSv1.3 is because it is not supported in CentOS 7.
    
    TLSv1 and TLSv1.1 have been deprecated by all the major browsers since March of 2020. We might want to look at logging the negotiated protocol if that hasn't already been done.
    
    (cherry picked from commit 9718699496098978ad615b20a1ad55dedee777e4)
---
 CHANGELOG.md                                 | 1 +
 traffic_router/core/src/main/conf/server.xml | 4 ++--
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 15c5a02..a2dc9d9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -56,6 +56,7 @@ The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/).
 =======
 - Updated Flot libraries to supported versions
 - [apache/trafficcontrol](https://github.com/apache/trafficcontrol) is now a Go module
+- Set Traffic Router to only accept TLSv1.1 and TLSv1.2 protocols in server.xml
 - Updated Apache Tomcat from 8.5.57 to 8.5.63
 - Updated Apache Tomcat Native from 1.2.16 to 1.2.23
 
diff --git a/traffic_router/core/src/main/conf/server.xml b/traffic_router/core/src/main/conf/server.xml
index 49750fb..ec36cee 100644
--- a/traffic_router/core/src/main/conf/server.xml
+++ b/traffic_router/core/src/main/conf/server.xml
@@ -40,11 +40,11 @@
 		<Connector port="3333" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
 				   connectionTimeout="10000" mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="ApiPort"/>
 		<Connector port="3443" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
-				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" connectionTimeout="10000"
+				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
 				   mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="SecureApiPort" sendReasonPhrase="true"
 				   sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation"> </Connector>
 		<Connector port="443" protocol="com.comcast.cdn.traffic_control.traffic_router.protocol.LanguidNioProtocol" maxThreads="10000"
-				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" connectionTimeout="10000"
+				   scheme="https" secure="true" SSLEnabled="true" clientAuth="false" sslProtocol="TLS" protocols="TLSv1.1,TLSv1.2" connectionTimeout="10000"
 				   mbeanPath="traffic-router:name=languidState" readyAttribute="Ready" portAttribute="SecurePort" sendReasonPhrase="true"
 				   sslImplementationName="com.comcast.cdn.traffic_control.traffic_router.protocol.RouterSslImplementation">
 		</Connector>