Uploaded image for project: 'Traffic Server'
  1. Traffic Server
  2. TS-2400

Our default SSL cipher-suite advocates speed over security

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.0.0
    • Component/s: Configuration, SSL
    • Labels:
      None

      Description

      Our default cipher-suite advocates speed over security:

      RC4-SHA:AES128-SHA:DES-CBC3-SHA:AES256-SHA:ALL:!aNULL:!EXP:!LOW:!MD5:!SSLV2:!NULL
      

      Worse yet, it still has RC4 in there, along with some other bad defaults. RC4 must be eradicated: https://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx?Redirected=true

      We should by default advocate security, which means, we should advocate Perfect Forward Secrecy, which means we should also advocate OpenSSL >= 1.0.1e

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                bcall Bryan Call
                Reporter:
                i.galic Igor Galić
              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: