This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/9.0.x by this push: new ad92c8e Adds important config notes for TLS v1/1.1 (#6646) ad92c8e is described below commit ad92c8ee17025bbc1e82f3d8319a27c40f0869c6 Author: Leif Hedstrom <zw...@apache.org> AuthorDate: Fri Apr 10 16:41:56 2020 -0600 Adds important config notes for TLS v1/1.1 (#6646) * Adds important config notes for TLS v1/1.1 * Fix typo (cherry picked from commit 1fae1c9569f75d0f42c5f9377575bf25dbdac1e1) --- doc/admin-guide/files/records.config.en.rst | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 948f36c..adef1e2 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -3220,11 +3220,18 @@ SSL Termination .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 0 - Enables (``1``) or disables (``0``) TLSv1.0. + Enables (``1``) or disables (``0``) TLSv1.0. If not specified, disabled by default. .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 0 - Enables (``1``) or disables (``0``) TLS v1.1. If not specified, enabled by default. [Requires OpenSSL v1.0.1 and higher] + Enables (``1``) or disables (``0``) TLS v1.1. If not specified, disabled by default. [Requires OpenSSL v1.0.1 and higher] + +.. note:: + In order to enable TLS v1 or v1.1, additional ciphers must be added to proxy.config.ssl.client.cipher_suite. For + example this list would restore the SHA1 (insecure!) cipher suites suitable for these deprecated TLS versions: + + ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA + .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1