[ https://issues.apache.org/jira/browse/TS-2400?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13864244#comment-13864244 ]
Igor Galić commented on TS-2400: -------------------------------- [~bcall] with your recent work around SSL, do you have an opinion on this as well? A recommendation from https://bettercrypto.org/static/applied-crypto-hardening.pdf is to set the cipher suite to {code} EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+ \ SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128 \ :+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:! \ DSS:!RC4:!SEED:!ECDSA:CAMELLIA256 -SHA:AES256 -SHA:CAMELLIA128 -SHA \ :AES128 -SHA {code} while disabling both SSLv2 and SSLv3. I'm afraid Leif is right, at least in regard to the SSL Protocols, that this is a compatibility break and needs to go into 5.0.x > Our default SSL cipher-suite advocates speed over security > ---------------------------------------------------------- > > Key: TS-2400 > URL: https://issues.apache.org/jira/browse/TS-2400 > Project: Traffic Server > Issue Type: Bug > Components: Configuration, SSL > Reporter: Igor Galić > Assignee: Igor Galić > Fix For: 4.2.0 > > > Our default cipher-suite advocates speed over security: > {code} > RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL > {code} > Worse yet, it still has RC4 in there, along with some other bad defaults. RC4 > must be eradicated: > https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx?Redirected=true > We should by default advocate security, which means, we should advocate > Perfect Forward Secrecy, which means we should also advocate OpenSSL >= > 1.0.1e -- This message was sent by Atlassian JIRA (v6.1.5#6160)