This is an automated email from the ASF dual-hosted git repository.
zwoop pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/master by this push:
new 1fae1c9 Adds important config notes for TLS v1/1.1 (#6646)
1fae1c9 is described below
commit 1fae1c9569f75d0f42c5f9377575bf25dbdac1e1
Author: Leif Hedstrom <zw...@apache.org>
AuthorDate: Fri Apr 10 16:41:56 2020 -0600
Adds important config notes for TLS v1/1.1 (#6646)
* Adds important config notes for TLS v1/1.1
* Fix typo
---
doc/admin-guide/files/records.config.en.rst | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/doc/admin-guide/files/records.config.en.rst
b/doc/admin-guide/files/records.config.en.rst
index 127de69..ffa6181 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3233,11 +3233,18 @@ SSL Termination
.. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 0
- Enables (``1``) or disables (``0``) TLSv1.0.
+ Enables (``1``) or disables (``0``) TLSv1.0. If not specified, disabled by
default.
.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 0
- Enables (``1``) or disables (``0``) TLS v1.1. If not specified, enabled by
default. [Requires OpenSSL v1.0.1 and higher]
+ Enables (``1``) or disables (``0``) TLS v1.1. If not specified, disabled
by default. [Requires OpenSSL v1.0.1 and higher]
+
+.. note::
+ In order to enable TLS v1 or v1.1, additional ciphers must be added to
proxy.config.ssl.client.cipher_suite. For
+ example this list would restore the SHA1 (insecure!) cipher suites suitable
for these deprecated TLS versions:
+
+
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
+
.. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1
