...
SSL new features and improvements
Change in behavior of proxy.config.ssl.server.honor_cipher_order setting
A bug regarding the behavior of the proxy.config.ssl.server.honor_cipher_order setting has been fixed. When enabled this setting allows the server to pick the preferred cipher used during the TLS or SSLv3 handshake based on the value of the proxy.config.ssl.server.cipher_suite setting.
Previously, a value of 0 enabled this setting, and a value of 1 disabled this setting - the reverse of the expected behavior. ATS previously shipped with a value of 1 (disabled). Starting in 4.2.0, the expected behavior was restored - 1 for enable, 0 for disable. The default in 4.2.0+ is 0, so the out of the box behavior remains the same.
Please verify/update records.config if you migrated this value from an older version of ATS to 4.2.0.
Jira: TS-2370
TLS 1.1 and 1.2 Configurations
There are two new options to turn off or on TLS 1.1 and TLS 1.2. By default TLS 1.2 is enabled still (value of 1), but can be disabled if you experience a crash with TLS 1.2. These versions of OpenSSL would experience this problem: 1.0.1, 1.0.1a, 1.0.1b, 1.0.1c, 1.0.1d, and 1.0.1e. There is an open issue with openssl http://rt.openssl.org/Ticket/Display.html?id=3200.
...
Code Block |
---|
CONFIG proxy.config.ssl.server.cipher_suite STRING ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2 |
...
- Slide deck with more feature / improvement details
If you experience issues
Please take a look at TS-2564 to see if this issue is affecting you.