Versions Compared

Old Version 23

changes.mady.by.user Leif Hedstrom

Saved on

compared with

New Version Current

changes.mady.by.user Daniel Ferradal

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

LinkedIn recently donated an implementation that allows for proxying of WebSockets. It supports the basic upgrade path for a web socket, and is configured using normal remap.config rules:

 

Code Block
map ws://www.example.com  ws://ws.example.com:9090

...

SSL new features and improvements

Change in behavior of proxy.config.ssl.server.honor_cipher_order setting

A bug regarding the behavior of the proxy.config.ssl.server.honor_cipher_order setting has been fixed.  When enabled this setting allows the server to pick the preferred cipher used during the TLS or SSLv3 handshake based on the value of the proxy.config.ssl.server.cipher_suite setting.

Previously, a value of 0 enabled this setting, and a value of 1 disabled this setting - the reverse of the expected behavior.  ATS previously shipped with a value of 1 (disabled).  Starting in 4.2.0, the expected behavior was restored - 1 for enable, 0 for disable.  The default in 4.2.0+ is 0, so the out of the box behavior remains the same.

Please verify/update records.config if you migrated this value from an older version of ATS to 4.2.0.

JiraTS-2370

TLS 1.1 and 1.2 Configurations

There are two new options to turn off or on TLS 1.1 and TLS 1.2.  By default TLS 1.2 is off enabled still (value of 01), for now, because of a problem but can be disabled if you experience a crash with TLS 1.2 crashing in openssl . These versions of OpenSSL would experience this problem: 1.0.1, 1.0.1a, 1.0.1b, 1.0.1c, 1.0.1d, and 1.0.1e.  There is an open issue with openssl http://rt.openssl.org/Ticket/Display.html?id=3200.

...

Code Block
    CONFIG proxy.config.ssl.TLSv1_1 INT 1
    CONFIG proxy.config.ssl.TLSv1_2 INT 01

JiraTS-23352355

RFC 5077 TLS Session tickets

...

Add forward secrecy support

...

Added support for elliptic curve ciphers (http://en.wikipedia.org/wiki/Elliptic_curve_cryptography) which generates a new key per session for enhanced security.  To use the elliptic curve ciphers you will need to modify the cipher list with the appropriate ciphers.  For example:

Code Block
CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2

Jira: TS-2372

Release memory for idle SSL sessions

...

  • Slide deck with more feature / improvement details

If you experience issues

Please take a look at TS-2564 to see if this issue is affecting you.