+1 to disable for client <-> proxy but please keep sslv2/v3 for proxy <-> origin.
I'm implement a man in the middle ssl forward proxy with ats. 发自我的 iPhone 在 2016年4月11日,08:57,Uri Shachar <ushac...@hotmail.com> 写道: >> On Apr 10, 2016, at 7:42 AM, Phil Sorber <sor...@apache.org> wrote: >> >> I'd like to propose that we deprecate SSLv2 and SSLv3 in ATS 6.2.0 and >> remove it in 7.0.0. >> >> Currently our defaults do not enable them and have been that way for about >> a year now. For 6.2.0 I'd like to mark them deprecated in the >> documentation, and then we remove the code for 7.0.0. This will mean that >> as of 7.0.0 you will not be able to enable SSLv2/3 even if your OpenSSL >> library supports it. > > +1 to disabling for client <-> proxy connections. > Completely disabling for proxy <-> origin is somewhat problematic for the > forward proxy use case -- there are still some lingering SSLv3 servers out > there, especially inside LANs.... > > Cheers, > Uri
