On Tue, May 26, 2015 at 1:53 PM Susan Hinrichs < shinr...@network-geographics.com> wrote:
> Hmm. I just ran ssllabs against > https://docs.trafficserver.apache.org/en/latest/ which is running 5.3.x > (which I think is the same as 5.3.0). All was happy. Will need to look > more closely at your records.config. Good to know that running sslscan > locally also produces the problem. Should get this figured out before > you need to move up to 5.3.x. > Susan, were you able to reproduce this? > > On 5/26/2015 2:40 PM, Reindl Harald wrote: > > > > > > Am 26.05.2015 um 21:32 schrieb Susan Hinrichs: > >> Hi Riendl, > >> > >> I'll have to try to reproduce from outside the office. > >> > >> If I understand you correctly, you can access the server behind ATS ok. > >> Then you do the ssllabs scan (which fails badly). Then your browser can > >> no longer access the server. > >> > >> Definitely sounds like badness. > > > > forget the server behind ATS, there are multiple and they are innocent > > > > * ATS 5.3.0 seems to work fine in the browser > > * ssllabs says no connection > > * the same host no longer responds in the browser > > * other reverse proxy hosts appears to work still fine > > * ssllabs them, they are also gone > > * it's not only ssllabs, local sslscan to ATS kills it also > > * the problem is "no shared ciphers" > > > > something seems to go terrible wrong with multiple TLS hosts, some of > > them configured for just TLS-offloading, some of them also use TLS to > > the origin (caused by a backend CMS not handle external offloading > > properly) and a mix of our wildcard certificate and host-specific ones > > > > happily i recognized that very soon and built 5.2.1 for Fedora 21 > > (x86_64) wich was also running with F20 on that machine > > > > no time to dig that deeper because i am at dist-upgrades for around 30 > > servers and ATS was the only problem until now, happily 5.2.1 still > > works fine > > > >> On 5/26/2015 2:22 PM, Reindl Harald wrote: > >>> > >>> > >>> Am 26.05.2015 um 21:04 schrieb Dave Thompson: > >>>> Hi Riendl, > >>>> > >>>> More details regarding host might help, though if the issue is related > >>>> to having an external scanner contact an internal ATS, you can test > >>>> TCP > >>>> connectivity with just a 'telnet hostname port'. > >>> > >>> TLS is fucked up, nobody talks about a internal host > >>> > >>>> To test SSL handshake, you might alternatively try: > >>>> openssl s_client -connect login.yahoo.com:443 < /dev/null > >>>> > >>>> If you're trying an internal scan to something that ssllabs.com can't > >>>> access, you might be interested in checking out: > >>>> yo/checkmyssl > >>> > >>> uhm that is and was a production server runnigng as reverse proxy and > >>> reachable from ssllabs - the point is that *after* ssllabs try to scan > >>> the host the page is dead and firefox complaints in no shared ciphers > >>> > >>> please read again my post! > >>> > >>> for me that's now done by downgrade to 5.2.1 and all is fine as before > >>> with nothing else changed > >>> > >>>> On Tuesday, May 26, 2015 1:34 PM, Reindl Harald > >>>> <h.rei...@thelounge.net> > >>>> wrote: > >>>> > >>>> > >>>> i recently did a dist-upgrade to Fedora 21 and at that time decided to > >>>> upgrade ATS to 5.3.0 since load-tests without encryption where fine > >>>> > >>>> well, https://www.ssllabs.com/ssltest/ > >>>> <https://www.ssllabs.com/ssltest/>says no connection, after that > >>>> Firefox previously displayed the page said "no shared ciphers" at > >>>> reload, local "sslcsan" is more than strange - in other words: as soon > >>>> as you start to scan the server for ssl ciphers something goes > >>>> terrible > >>>> wrong > >>>> > >>>> it happens that another SNI host still works, until you try to scan > >>>> it too > >>>> > >>>> downgrade to 5.2.1 and all is fine again > >>>> P.S.: the download page should not only list a .0 release > >>>> ______________________________________________ > >>>> > >>>> without changing the environment these different results for "sslscan > >>>> host:443" should be impossible > >>>> > >>>> Preferred Server Cipher(s): > >>>> SSLv2 0 bits (NONE) > >>>> SSLv3 0 bits (NONE) > >>>> TLSv1 0 bits (NONE) > >>>> TLS11 0 bits (NONE) > >>>> TLS12 0 bits (NONE) > >>>> > >>>> Preferred Server Cipher(s): > >>>> SSLv2 0 bits (NONE) > >>>> SSLv3 0 bits (NONE) > >>>> TLSv1 0 bits (NONE) > >>>> TLS11 0 bits (NONE) > >>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 > >>>> ______________________________________________ > >>>> > >>>> 5.2.1: > >>>> > >>>> Preferred Server Cipher(s): > >>>> SSLv2 0 bits (NONE) > >>>> SSLv3 0 bits (NONE) > >>>> TLSv1 128 bits ECDHE-RSA-AES128-SHA > >>>> TLS11 128 bits ECDHE-RSA-AES128-SHA > >>>> TLS12 128 bits ECDHE-RSA-AES128-GCM-SHA256 > >>>> ______________________________________________ > >>>> > >>>> records.config > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # System Variables > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.proxy_name STRING proxy.thelounge.net > >>>> CONFIG proxy.config.config_dir STRING /etc/trafficserver > >>>> CONFIG proxy.config.proxy_binary_opts STRING -M > >>>> CONFIG proxy.config.temp_dir STRING /tmp > >>>> CONFIG proxy.config.alarm_email STRING ats > >>>> CONFIG proxy.config.syslog_facility STRING LOG_DAEMON > >>>> CONFIG proxy.config.output.logfile STRING traffic.out > >>>> CONFIG proxy.config.snapshot_dir STRING snapshots > >>>> CONFIG proxy.config.system.mmap_max INT 2097152 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Main threads configuration (worker threads). Also see configurations > >>>> for # > >>>> # SSL threads, disk I/O threads and task threads in their respective > >>>> areas # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.exec_thread.autoconfig INT 0 > >>>> CONFIG proxy.config.exec_thread.limit INT 4 > >>>> CONFIG proxy.config.exec_thread.affinity INT 1 > >>>> CONFIG proxy.config.accept_threads INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Local Manager > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.admin.admin_user STRING admin > >>>> CONFIG proxy.config.admin.number_config_bak INT 0 > >>>> CONFIG proxy.config.admin.user_id STRING ats > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Process Manager > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.admin.autoconf_port INT 8083 > >>>> CONFIG proxy.config.process_manager.mgmt_port INT 8084 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # HTTP Engine > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl > >>>> CONFIG proxy.config.http.connect_ports STRING 80 > >>>> CONFIG proxy.config.http.insert_request_via_str INT 0 > >>>> CONFIG proxy.config.http.insert_response_via_str INT 0 > >>>> CONFIG proxy.config.http.response_server_enabled INT 0 > >>>> CONFIG proxy.config.http.insert_age_in_response INT 1 > >>>> CONFIG proxy.config.http.enable_url_expandomatic INT 0 > >>>> CONFIG proxy.config.http.no_dns_just_forward_to_parent INT 0 > >>>> CONFIG proxy.config.http.uncacheable_requests_bypass_parent INT 0 > >>>> CONFIG proxy.config.http.keep_alive_enabled_in INT 1 > >>>> CONFIG proxy.config.http.keep_alive_enabled_out INT 1 > >>>> CONFIG proxy.config.http.chunking_enabled INT 1 > >>>> CONFIG proxy.config.http.chunking.size 64k > >>>> CONFIG proxy.config.http.send_http11_requests INT 1 > >>>> CONFIG proxy.config.http.share_server_sessions INT 1 > >>>> CONFIG proxy.config.http.origin_server_pipeline INT 1 > >>>> CONFIG proxy.config.http.user_agent_pipeline INT 8 > >>>> CONFIG proxy.config.http.referer_filter INT 0 > >>>> CONFIG proxy.config.http.accept_unknown_methods INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # parent proxy configuration > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.parent_proxy_routing_enable INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # HTTP connection timeouts (secs) > >>>> # > >>>> # out: proxy -> origin server connection > >>>> # > >>>> # in : ua -> proxy connection > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_in INT 1 > >>>> CONFIG proxy.config.http.keep_alive_no_activity_timeout_out INT 1 > >>>> CONFIG proxy.config.http.transaction_no_activity_timeout_in INT 60 > >>>> CONFIG proxy.config.http.transaction_no_activity_timeout_out INT 60 > >>>> CONFIG proxy.config.http.transaction_active_timeout_in INT 3600 > >>>> CONFIG proxy.config.http.transaction_active_timeout_out INT 0 > >>>> CONFIG proxy.config.http.accept_no_activity_timeout INT 1 > >>>> CONFIG proxy.config.http.background_fill_active_timeout INT 0 > >>>> CONFIG proxy.config.http.background_fill_completed_threshold FLOAT 0.0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # origin server connect attempts > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.connect_attempts_max_retries INT 10 > >>>> CONFIG proxy.config.http.connect_attempts_max_retries_dead_server > >>>> INT 10 > >>>> CONFIG proxy.config.http.connect_attempts_rr_retries INT 10 > >>>> CONFIG proxy.config.http.connect_attempts_timeout INT 30 > >>>> CONFIG proxy.config.http.post_connect_attempts_timeout INT 1800 > >>>> CONFIG proxy.config.http.down_server.cache_time INT 5 > >>>> CONFIG proxy.config.http.down_server.abort_threshold INT 30 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # congestion control > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.congestion_control.enabled INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # negative response caching > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.negative_caching_enabled INT 1 > >>>> CONFIG proxy.config.http.negative_caching_lifetime INT 1 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # proxy users variables > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.anonymize_remove_from INT 0 > >>>> CONFIG proxy.config.http.anonymize_remove_referer INT 0 > >>>> CONFIG proxy.config.http.anonymize_remove_user_agent INT 0 > >>>> CONFIG proxy.config.http.anonymize_remove_cookie INT 0 > >>>> CONFIG proxy.config.http.anonymize_remove_client_ip INT 0 > >>>> CONFIG proxy.config.http.anonymize_insert_client_ip INT 0 > >>>> CONFIG proxy.config.http.anonymize_other_header_list STRING NULL > >>>> CONFIG proxy.config.http.insert_squid_x_forwarded_for INT 1 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # security > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.push_method_enabled INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # cache control > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.normalize_ae_gzip INT 1 > >>>> CONFIG proxy.config.http.cache.http INT 1 > >>>> CONFIG proxy.config.http.cache.cache_responses_to_cookies INT 3 > >>>> CONFIG proxy.config.http.cache.cache_urls_that_look_dynamic INT 1 > >>>> CONFIG proxy.config.http.cache.ims_on_client_no_cache INT 1 > >>>> CONFIG proxy.config.http.cache.ignore_client_cc_max_age INT 0 > >>>> CONFIG proxy.config.http.cache.ignore_client_no_cache INT 0 > >>>> CONFIG proxy.config.http.cache.ignore_accept_mismatch INT 2 > >>>> CONFIG proxy.config.http.cache.ignore_accept_language_mismatch INT 2 > >>>> CONFIG proxy.config.http.cache.ignore_accept_encoding_mismatch INT 2 > >>>> CONFIG proxy.config.http.cache.ignore_accept_charset_mismatch INT 2 > >>>> CONFIG proxy.config.http.cache.ignore_server_no_cache INT 0 > >>>> CONFIG proxy.config.http.cache.ignore_authentication INT 0 > >>>> CONFIG proxy.config.http.cache.enable_default_vary_headers INT 0 > >>>> CONFIG proxy.config.http.cache.when_to_revalidate INT 0 > >>>> CONFIG proxy.config.http.cache.when_to_add_no_cache_to_msie_requests > >>>> INT 0 > >>>> CONFIG proxy.config.http.cache.required_headers INT 0 > >>>> CONFIG proxy.config.http.cache.max_stale_age INT 1800 > >>>> CONFIG proxy.config.http.cache.range.lookup INT 0 > >>>> CONFIG proxy.config.cache.vary_on_user_agent INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # heuristic expiration > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.cache.heuristic_min_lifetime INT 60 > >>>> CONFIG proxy.config.http.cache.heuristic_max_lifetime INT 60 > >>>> CONFIG proxy.config.http.cache.heuristic_lm_factor FLOAT 0.100000 > >>>> CONFIG proxy.config.http.cache.fuzz.time INT 60 > >>>> CONFIG proxy.config.http.cache.fuzz.probability FLOAT 0.005000 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # dynamic content & content negotiation > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.cache.vary_default_text STRING > >>>> Accept-Encoding > >>>> CONFIG proxy.config.http.cache.vary_default_images STRING NULL > >>>> CONFIG proxy.config.http.cache.vary_default_other STRING NULL > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # The HTTP stats are expensive, turn off you dont need them > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.enable_http_stats INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Customizable User Response Pages > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.body_factory.enable_customizations INT 1 > >>>> CONFIG proxy.config.body_factory.enable_logging INT 0 > >>>> CONFIG proxy.config.body_factory.response_suppression_mode INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Net Subsystem > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.net.connections_throttle INT 30000 > >>>> CONFIG proxy.config.net.defer_accept INT 1 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Cluster Subsystem > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> LOCAL proxy.local.cluster.type INT 3 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Cache > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.cache.permit.pinning INT 0 > >>>> CONFIG proxy.config.cache.ram_cache.size INT 2560M > >>>> CONFIG proxy.config.cache.ram_cache_cutoff INT 512K > >>>> CONFIG proxy.config.cache.ram_cache.algorithm INT 1 > >>>> CONFIG proxy.config.cache.ram_cache.use_seen_filter INT 0 > >>>> CONFIG proxy.config.cache.ram_cache.compress INT 0 > >>>> CONFIG proxy.config.cache.limits.http.max_alts INT 10 > >>>> CONFIG proxy.config.cache.target_fragment_size INT 262144 > >>>> CONFIG proxy.config.cache.max_doc_size INT 0 > >>>> CONFIG proxy.config.cache.enable_read_while_writer INT 1 > >>>> CONFIG proxy.config.connection_collapsing.hashtable_enabled INT 1 > >>>> CONFIG proxy.config.cache.min_average_object_size INT 32K > >>>> CONFIG proxy.config.cache.threads_per_disk INT 8 > >>>> CONFIG proxy.config.cache.mutex_retry_delay INT 10 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # DNS > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.dns.search_default_domains INT 1 > >>>> CONFIG proxy.config.dns.splitDNS.enabled INT 0 > >>>> CONFIG proxy.config.dns.max_dns_in_flight INT 2048 > >>>> CONFIG proxy.config.dns.url_expansions STRING NULL > >>>> CONFIG proxy.config.dns.round_robin_nameservers INT 0 > >>>> CONFIG proxy.config.dns.nameservers STRING 127.0.0.1 > >>>> CONFIG proxy.config.dns.resolv_conf STRING NULL > >>>> CONFIG proxy.config.dns.validate_query_name INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # HostDB > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.hostdb.size INT 50000 > >>>> CONFIG proxy.config.hostdb.storage_size INT 14680064 > >>>> CONFIG proxy.config.hostdb.ttl_mode INT 1 > >>>> CONFIG proxy.config.hostdb.timeout INT 60 > >>>> CONFIG proxy.config.hostdb.strict_round_robin INT 0 > >>>> CONFIG proxy.config.hostdb.host_file.path STRING /etc/hosts.dnsmasq > >>>> CONFIG proxy.config.hostdb.host_file.interval INT 3600 > >>>> CONFIG proxy.config.hostdb.ip_resolve STRING ipv4;none > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Logging Config > >>>> # > >>>> # > >>>> # > >>>> # 0: no logging at all > >>>> # > >>>> # 1: log errors only > >>>> # > >>>> # 2: log transactions only > >>>> # > >>>> # 3: full logging (errors + transactions) > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> LOCAL proxy.local.log.collation_mode INT 0 > >>>> CONFIG proxy.config.log.logging_enabled INT 1 > >>>> CONFIG proxy.config.log.max_secs_per_buffer INT 5 > >>>> CONFIG proxy.config.log.max_space_mb_for_logs INT 25000 > >>>> CONFIG proxy.config.log.max_space_mb_for_orphan_logs INT 25 > >>>> CONFIG proxy.config.log.max_space_mb_headroom INT 1000 > >>>> CONFIG proxy.config.log.hostname STRING localhost > >>>> CONFIG proxy.config.log.logfile_dir STRING /var/log/trafficserver > >>>> CONFIG proxy.config.log.logfile_perm STRING rw-rw---- > >>>> CONFIG proxy.config.log.custom_logs_enabled INT 0 > >>>> CONFIG proxy.config.log.squid_log_enabled INT 0 > >>>> CONFIG proxy.config.log.squid_log_is_ascii INT 0 > >>>> CONFIG proxy.config.log.squid_log_name STRING squid > >>>> CONFIG proxy.config.log.squid_log_header STRING NULL > >>>> CONFIG proxy.config.log.common_log_enabled INT 0 > >>>> CONFIG proxy.config.log.common_log_is_ascii INT 1 > >>>> CONFIG proxy.config.log.common_log_name STRING common > >>>> CONFIG proxy.config.log.common_log_header STRING NULL > >>>> CONFIG proxy.config.log.extended_log_enabled INT 0 > >>>> CONFIG proxy.config.log.extended_log_is_ascii INT 0 > >>>> CONFIG proxy.config.log.extended_log_name STRING extended > >>>> CONFIG proxy.config.log.extended_log_header STRING NULL > >>>> CONFIG proxy.config.log.extended2_log_enabled INT 0 > >>>> CONFIG proxy.config.log.extended2_log_is_ascii INT 1 > >>>> CONFIG proxy.config.log.extended2_log_name STRING extended2 > >>>> CONFIG proxy.config.log.extended2_log_header STRING NULL > >>>> CONFIG proxy.config.log.separate_icp_logs INT 0 > >>>> CONFIG proxy.config.log.separate_host_logs INT 0 > >>>> CONFIG proxy.config.log.collation_host STRING NULL > >>>> CONFIG proxy.config.log.collation_port INT 8085 > >>>> CONFIG proxy.config.log.collation_secret STRING foobar > >>>> CONFIG proxy.config.log.collation_host_tagged INT 0 > >>>> CONFIG proxy.config.log.collation_retry_sec INT 5 > >>>> CONFIG proxy.config.log.rolling_enabled INT 1 > >>>> CONFIG proxy.config.log.rolling_interval_sec INT 86400 > >>>> CONFIG proxy.config.log.rolling_offset_hr INT 0 > >>>> CONFIG proxy.config.log.rolling_size_mb INT 10 > >>>> CONFIG proxy.config.log.auto_delete_rolled_files INT 1 > >>>> CONFIG proxy.config.log.sampling_frequency INT 1 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Reverse Proxy > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.reverse_proxy.enabled INT 1 > >>>> CONFIG proxy.config.header.parse.no_host_url_redirect STRING NULL > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # URL Remap Rules > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.url_remap.default_to_server_pac INT 0 > >>>> CONFIG proxy.config.url_remap.default_to_server_pac_port INT -1 > >>>> CONFIG proxy.config.url_remap.remap_required INT 1 > >>>> CONFIG proxy.config.url_remap.pristine_host_hdr INT 1 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # ICP Configuration > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.icp.enabled INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Scheduled Update Configuration > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.update.enabled INT 0 > >>>> CONFIG proxy.config.update.force INT 0 > >>>> CONFIG proxy.config.update.retry_count INT 10 > >>>> CONFIG proxy.config.update.retry_interval INT 2 > >>>> CONFIG proxy.config.update.concurrent_updates INT 100 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Socket send/recv buffer sizes 0 == dont call setsockopt() > >>>> # > >>>> # out: proxy -> os connection > >>>> # > >>>> # in : ua -> proxy connection > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.net.sock_send_buffer_size_in INT 65536 > >>>> CONFIG proxy.config.net.sock_recv_buffer_size_in INT 65536 > >>>> CONFIG proxy.config.net.sock_option_flag_in INT 1 > >>>> CONFIG proxy.config.net.sock_send_buffer_size_out INT 65536 > >>>> CONFIG proxy.config.net.sock_recv_buffer_size_out INT 65536 > >>>> CONFIG proxy.config.net.sock_option_flag_out INT 1 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # User Overridden Configurations Below > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.core_limit INT -1 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Debugging > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.diags.debug.enabled INT 0 > >>>> CONFIG proxy.config.diags.debug.tags STRING http.*|dns.* > >>>> CONFIG proxy.config.dump_mem_info_frequency INT 0 > >>>> CONFIG proxy.config.stack_dump_enabled 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Log any request that takes more then x number of milliseconds, needs > >>>> # > >>>> # to be > 0 to be enabled > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.http.slow.log.threshold INT 0 > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # Thread pool for "misc" tasks, plugins etc. 2 is a good minimum > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.task_threads INT 2 > >>>> CONFIG proxy.config.cluster.cluster_configuration STRING > >>>> cluster.config > >>>> CONFIG proxy.config.body_factory.template_sets_dir STRING > >>>> /etc/trafficserver/body_factory > >>>> > >>>> > ############################################################################## > >>>> > >>>> > >>>> # SSL/TLS > >>>> # > >>>> > ############################################################################## > >>>> > >>>> > >>>> CONFIG proxy.config.ssl.SSLv2 INT 0 > >>>> CONFIG proxy.config.ssl.SSLv3 INT 0 > >>>> CONFIG proxy.config.ssl.TLSv1 INT 1 > >>>> CONFIG proxy.config.ssl.TLSv1_1 INT 1 > >>>> CONFIG proxy.config.ssl.TLSv1_2 INT 1 > >>>> CONFIG proxy.config.ssl.client.SSLv2 INT 1 > >>>> CONFIG proxy.config.ssl.client.SSLv3 INT 1 > >>>> CONFIG proxy.config.ssl.client.TLSv1 INT 1 > >>>> CONFIG proxy.config.ssl.client.TLSv1_1 INT 1 > >>>> CONFIG proxy.config.ssl.client.TLSv1_2 INT 1 > >>>> CONFIG proxy.config.ssl.client.certification_level INT 0 > >>>> CONFIG proxy.config.ssl.server.multicert.filename STRING > >>>> ssl_multicert.config > >>>> CONFIG proxy.config.ssl.server.cert.path STRING > >>>> /etc/trafficserver/ssl/ > >>>> CONFIG proxy.config.ssl.server.private_key.path STRING > >>>> /etc/trafficserver/ssl/ > >>>> CONFIG proxy.config.ssl.CA.cert.path STRING /etc/trafficserver/ssl/ > >>>> CONFIG proxy.config.ssl.server.cipher_suite STRING > >>>> > ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-CAMELLIA256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:CAMELLIA128-SHA:CAMELLIA256-SHA:ECDHE-RSA-DES-CBC3-SHA:DES-CBC3-SHA:!LOW:!MEDIUM > >>>> > >>>> > >>>> CONFIG proxy.config.ssl.server.honor_cipher_order INT 1 > >>>> CONFIG proxy.config.ssl.server.dhparams_file STRING > >>>> /etc/trafficserver/ssl/dhparams.pem > > > >
