Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-2400

Our default SSL cipher-suite advocates speed over security

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 5.0.0
    • Configuration, SSL
    • None

    Description

      Our default cipher-suite advocates speed over security:

      RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL

      Worse yet, it still has RC4 in there, along with some other bad defaults. RC4 must be eradicated: https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx?Redirected=true

      We should by default advocate security, which means, we should advocate Perfect Forward Secrecy, which means we should also advocate OpenSSL >= 1.0.1e

      Attachments

        Issue Links

          relates to

          Improvement - An improvement or enhancement to an existing feature or task. TS-2274 Better initial default configs

          • Major - Major loss of function.
          • Closed

          Activity

            People

              bcall Bryan Call
              i.galic Igor Galić
              Votes:
              1 Vote for this issue
              Watchers:
              7 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: