Skip to content

Commit

Permalink
Remove deprecated verify.server for 9.0 (apache#7040)
Browse files Browse the repository at this point in the history 
Co-authored-by: Susan Hinrichs <shinrich@verizonmedia.com>
  • Loading branch information
@shinrich
2 people authored and Damian Meden committed Sep 2, 2020
1 parent fcb056f commit b88f853
Show file tree
Hide file tree
Showing 17 changed files with 28 additions and 136 deletions.
16 changes: 0 additions & 16 deletions doc/admin-guide/files/records.config.en.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3561,22 +3561,6 @@ Client-Related Configuration
:code:`ALL`
Check both the signature and the name.

.. ts:cv:: CONFIG proxy.config.ssl.client.verify.server INT 0
:reloadable:
:deprecated:

This setting has been deprecated and :ts:cv:`proxy.config.ssl.client.verify.server.policy` and
:ts:cv:`proxy.config.ssl.client.verify.server.properties` should be used instead.

Configures |TS| to verify the origin server certificate
with the Certificate Authority (CA). This configuration takes a value between 0 to 2.

You can override this global setting on a per domain basis in the :file:`sni.yaml` file using the :ref:`verify_origin_server attribute<override-verify-origin-server>`.

:0: Server Certificate will not be verified
:1: Certificate will be verified and the connection will not be established if verification fail
:2: The provided certificate will be verified and the connection will be established

.. ts:cv:: CONFIG proxy.config.ssl.client.cert.filename STRING NULL
:reloadable:
:overridable:
Expand Down
5 changes: 0 additions & 5 deletions doc/admin-guide/files/sni.yaml.en.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@ Each table is a set of key / value pairs that create a configuration item. This
wildcard entries. To apply an SNI based setting on all the server names with a common upper level domain name,
the user needs to enter the fqdn in the configuration with a ``*.`` followed by the common domain name. (``*.yahoo.com`` for example).

.. _override-verify-origin-server:
.. _override-verify-server-policy:
.. _override-verify-server-properties:
.. _override-host-sni-policy:
Expand All @@ -67,10 +66,6 @@ verify_server_properties One of the values :code:`NONE`, :code:`SIGNATURE`, :co
By default this is :ts:cv:`proxy.config.ssl.client.verify.server.properties`.
This controls what Traffic Server checks when evaluating the origin certificate.

verify_origin_server Deprecated. Use verify_server_policy and verify_server_properties instead.
One of the values :code:`NONE`, :code:`MODERATE`, or :code:`STRICT`.
By default this is :ts:cv:`proxy.config.ssl.client.verify.server`.

verify_client One of the values :code:`NONE`, :code:`MODERATE`, or :code:`STRICT`.
If ``NONE`` is specified, |TS| requests no certificate. If ``MODERATE`` is specified
|TS| will verify a certificate that is presented by the client, but it will not
Expand Down
3 changes: 0 additions & 3 deletions doc/developer-guide/api/functions/TSHttpOverridableConfig.en.rst
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,6 @@ TSOverridableConfigKey Value Configuratio
:c:macro:`TS_CONFIG_SRV_ENABLED` :ts:cv:`proxy.config.srv_enabled`
:c:macro:`TS_CONFIG_SSL_CLIENT_CERT_FILENAME` :ts:cv:`proxy.config.ssl.client.cert.filename`
:c:macro:`TS_CONFIG_SSL_CERT_FILEPATH` :ts:cv:`proxy.config.ssl.client.cert.path`
:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER` :ts:cv:`proxy.config.ssl.client.verify.server`
:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES` :ts:cv:`proxy.config.ssl.client.verify.server.properties`
:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY` :ts:cv:`proxy.config.ssl.client.verify.server.policy`
:c:macro:`TS_CONFIG_SSL_CLIENT_SNI_POLICY` :ts:cv:`proxy.config.ssl.client.sni_policy`
Expand All @@ -181,8 +180,6 @@ TSOverridableConfigKey Value Configuratio
:c:macro:`TS_CONFIG_URL_REMAP_PRISTINE_HOST_HDR` :ts:cv:`proxy.config.url_remap.pristine_host_hdr`
:c:macro:`TS_CONFIG_WEBSOCKET_ACTIVE_TIMEOUT` :ts:cv:`proxy.config.websocket.active_timeout`
:c:macro:`TS_CONFIG_WEBSOCKET_NO_ACTIVITY_TIMEOUT` :ts:cv:`proxy.config.websocket.no_activity_timeout`
:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_POLICY` :ts:cv:`proxy.config.ssl.client.verify.server.policy`
:c:macro:`TS_CONFIG_SSL_CLIENT_VERIFY_SERVER_PROPERTIES` :ts:cv:`proxy.config.ssl.client.verify.server.properties`
:c:macro:`TS_CONFIG_SSL_CLIENT_CERT_FILENAME` :ts:cv:`proxy.config.ssl.client.cert.filename`
:c:macro:`TS_CONFIG_SSL_CLIENT_PRIVATE_KEY_FILENAME` :ts:cv:`proxy.config.ssl.client.private_key.filename`
:c:macro:`TS_CONFIG_SSL_CLIENT_CA_CERT_FILENAME` :ts:cv:`proxy.config.ssl.client.CA.cert.filename`
Expand Down
103 changes: 28 additions & 75 deletions iocore/net/SSLConfig.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -354,82 +354,35 @@ SSLConfigParams::initialize()
// ++++++++++++++++++++++++ Client part ++++++++++++++++++++
client_verify_depth = 7;

// remove before 9.0.0 release
// Backwards compatibility if proxy.config.ssl.client.verify.server is explicitly set
RecSourceT source = REC_SOURCE_DEFAULT;
bool set_backwards_compatible = false;
if (RecGetRecordSource("proxy.config.ssl.client.verify.server", &source, false) == REC_ERR_OKAY) {
if (source != REC_SOURCE_DEFAULT && source != REC_SOURCE_NULL) {
int8_t verifyServer = 0;
REC_EstablishStaticConfigByte(verifyServer, "proxy.config.ssl.client.verify.server");
verifyServerProperties = YamlSNIConfig::Property::ALL_MASK;
switch (verifyServer) {
case 0:
verifyServerPolicy = YamlSNIConfig::Policy::DISABLED;
set_backwards_compatible = true;
break;
case 1:
verifyServerPolicy = YamlSNIConfig::Policy::ENFORCED;
set_backwards_compatible = true;
break;
case 2:
verifyServerPolicy = YamlSNIConfig::Policy::PERMISSIVE;
set_backwards_compatible = true;
break;
}
}
}

bool policy_default = true;
bool properties_default = true;
if (!set_backwards_compatible) {
policy_default = properties_default = false;
} else { // Only check for non-defaults if we have a backwards compatible situation
if (RecGetRecordSource("proxy.config.ssl.client.verify.server.policy", &source, false) == REC_ERR_OKAY &&
source != REC_SOURCE_DEFAULT && source != REC_SOURCE_NULL) {
policy_default = false;
}
if (RecGetRecordSource("proxy.config.ssl.client.verify.server.properties", &source, false) == REC_ERR_OKAY &&
source != REC_SOURCE_DEFAULT && source != REC_SOURCE_NULL) {
properties_default = false;
}
}

if (!set_backwards_compatible || !policy_default) {
char *verify_server = nullptr;
REC_ReadConfigStringAlloc(verify_server, "proxy.config.ssl.client.verify.server.policy");
if (strcmp(verify_server, "DISABLED") == 0) {
verifyServerPolicy = YamlSNIConfig::Policy::DISABLED;
} else if (strcmp(verify_server, "PERMISSIVE") == 0) {
verifyServerPolicy = YamlSNIConfig::Policy::PERMISSIVE;
} else if (strcmp(verify_server, "ENFORCED") == 0) {
verifyServerPolicy = YamlSNIConfig::Policy::ENFORCED;
} else {
Warning("%s is invalid for proxy.config.ssl.client.verify.server.policy. Should be one of DISABLED, PERMISSIVE, or ENFORCED",
verify_server);
verifyServerPolicy = YamlSNIConfig::Policy::DISABLED;
}
ats_free(verify_server);
}

if (!set_backwards_compatible || !properties_default) {
char *verify_server = nullptr;
REC_ReadConfigStringAlloc(verify_server, "proxy.config.ssl.client.verify.server.properties");
if (strcmp(verify_server, "SIGNATURE") == 0) {
verifyServerProperties = YamlSNIConfig::Property::SIGNATURE_MASK;
} else if (strcmp(verify_server, "NAME") == 0) {
verifyServerProperties = YamlSNIConfig::Property::NAME_MASK;
} else if (strcmp(verify_server, "ALL") == 0) {
verifyServerProperties = YamlSNIConfig::Property::ALL_MASK;
} else if (strcmp(verify_server, "NONE") == 0) {
verifyServerProperties = YamlSNIConfig::Property::NONE;
} else {
Warning("%s is invalid for proxy.config.ssl.client.verify.server.properties. Should be one of SIGNATURE, NAME, or ALL",
verify_server);
verifyServerProperties = YamlSNIConfig::Property::NONE;
}
ats_free(verify_server);
char *verify_server = nullptr;
REC_ReadConfigStringAlloc(verify_server, "proxy.config.ssl.client.verify.server.policy");
if (strcmp(verify_server, "DISABLED") == 0) {
verifyServerPolicy = YamlSNIConfig::Policy::DISABLED;
} else if (strcmp(verify_server, "PERMISSIVE") == 0) {
verifyServerPolicy = YamlSNIConfig::Policy::PERMISSIVE;
} else if (strcmp(verify_server, "ENFORCED") == 0) {
verifyServerPolicy = YamlSNIConfig::Policy::ENFORCED;
} else {
Warning("%s is invalid for proxy.config.ssl.client.verify.server.policy. Should be one of DISABLED, PERMISSIVE, or ENFORCED",
verify_server);
verifyServerPolicy = YamlSNIConfig::Policy::DISABLED;
}

REC_ReadConfigStringAlloc(verify_server, "proxy.config.ssl.client.verify.server.properties");
if (strcmp(verify_server, "SIGNATURE") == 0) {
verifyServerProperties = YamlSNIConfig::Property::SIGNATURE_MASK;
} else if (strcmp(verify_server, "NAME") == 0) {
verifyServerProperties = YamlSNIConfig::Property::NAME_MASK;
} else if (strcmp(verify_server, "ALL") == 0) {
verifyServerProperties = YamlSNIConfig::Property::ALL_MASK;
} else if (strcmp(verify_server, "NONE") == 0) {
verifyServerProperties = YamlSNIConfig::Property::NONE;
} else {
Warning("%s is invalid for proxy.config.ssl.client.verify.server.properties. Should be one of SIGNATURE, NAME, or ALL",
verify_server);
verifyServerProperties = YamlSNIConfig::Property::NONE;
}
ats_free(verify_server);

ssl_client_cert_filename = nullptr;
ssl_client_cert_path = nullptr;
Expand Down
20 changes: 0 additions & 20 deletions iocore/net/YamlSNIConfig.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,7 +99,6 @@ std::set<std::string> valid_sni_config_keys = {TS_fqdn,
TS_tunnel_route,
TS_forward_route,
TS_partial_blind_route,
TS_verify_origin_server,
TS_verify_server_policy,
TS_verify_server_properties,
TS_client_cert,
Expand Down Expand Up @@ -166,25 +165,6 @@ template <> struct convert<YamlSNIConfig::Item> {
item.tls_upstream = true;
}

// remove before 9.0.0 release
// backwards compatibility
if (node[TS_verify_origin_server]) {
auto value = node[TS_verify_origin_server].as<std::string>();
YamlSNIConfig::Level level = static_cast<YamlSNIConfig::Level>(LEVEL_DESCRIPTOR.get(value));
item.verify_server_properties = YamlSNIConfig::Property::ALL_MASK;
switch (level) {
case YamlSNIConfig::Level::NONE:
item.verify_server_policy = YamlSNIConfig::Policy::DISABLED;
break;
case YamlSNIConfig::Level::MODERATE:
item.verify_server_policy = YamlSNIConfig::Policy::PERMISSIVE;
break;
case YamlSNIConfig::Level::STRICT:
item.verify_server_policy = YamlSNIConfig::Policy::ENFORCED;
break;
}
}

if (node[TS_verify_server_policy]) {
auto value = node[TS_verify_server_policy].as<std::string>();
int policy = POLICY_DESCRIPTOR.get(value);
Expand Down
2 changes: 0 additions & 2 deletions mgmt/RecordsConfig.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1116,8 +1116,6 @@ static const RecordElement RecordsConfig[] =
,
{RECT_CONFIG, "proxy.config.ssl.CA.cert.path", RECD_STRING, TS_BUILD_SYSCONFDIR, RECU_RESTART_TS, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.client.verify.server", RECD_INT, "0", RECU_DYNAMIC, RR_NULL, RECC_INT, "[0-2]", RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.client.verify.server.policy", RECD_STRING, "PERMISSIVE", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
,
{RECT_CONFIG, "proxy.config.ssl.client.verify.server.properties", RECD_STRING, "ALL", RECU_DYNAMIC, RR_NULL, RECC_NULL, nullptr, RECA_NULL}
Expand Down
1 change: 0 additions & 1 deletion tests/gold_tests/tls/tls.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,6 @@
ts.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.exec_thread.autoconfig.scale': 1.0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
})
Expand Down
2 changes: 0 additions & 2 deletions tests/gold_tests/tls/tls_client_cert.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,7 +65,6 @@
'proxy.config.diags.debug.tags': 'ssl_verify_test',
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.ssl.client.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.cert.filename': 'signed-foo.pem',
Expand Down Expand Up @@ -165,7 +164,6 @@
tr2.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.ssl.client.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.cert.filename': 'signed2-foo.pem',
Expand Down
1 change: 0 additions & 1 deletion tests/gold_tests/tls/tls_client_cert2.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,6 @@
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.exec_thread.autoconfig.scale': 1.0,
'proxy.config.url_remap.pristine_host_hdr': 1,
Expand Down
1 change: 0 additions & 1 deletion tests/gold_tests/tls/tls_client_cert_override.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,6 @@
ts.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.ssl.client.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.cert.filename': 'signed-foo.pem',
Expand Down
1 change: 0 additions & 1 deletion tests/gold_tests/tls/tls_client_verify.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,7 +42,6 @@
ts.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.url_remap.pristine_host_hdr' : 1,
'proxy.config.ssl.client.certification_level': 2,
Expand Down
1 change: 0 additions & 1 deletion tests/gold_tests/tls/tls_client_verify2.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,6 @@
ts.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.url_remap.pristine_host_hdr' : 1,
'proxy.config.ssl.client.certification_level': 0,
Expand Down
1 change: 0 additions & 1 deletion tests/gold_tests/tls/tls_engine.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -56,7 +56,6 @@
ts.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.exec_thread.autoconfig.scale': 1.0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.ssl.engine.conf_file': '{0}/ts/config/load_engine.cnf'.format(Test.RunDirectory),
Expand Down
1 change: 0 additions & 1 deletion tests/gold_tests/tls/tls_session_cache.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@
ts.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.exec_thread.autoconfig.scale': 1.0,
'proxy.config.ssl.session_cache': 2,
Expand Down
2 changes: 0 additions & 2 deletions tests/gold_tests/tls/tls_ticket.test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,6 @@
ts.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.exec_thread.autoconfig.scale': 1.0,
'proxy.config.ssl.server.session_ticket.enable': '1',
Expand All @@ -64,7 +63,6 @@
ts2.Disk.records_config.update({
'proxy.config.ssl.server.cert.path': '{0}'.format(ts2.Variables.SSLDir),
'proxy.config.ssl.server.private_key.path': '{0}'.format(ts2.Variables.SSLDir),
'proxy.config.ssl.client.verify.server': 0,
'proxy.config.ssl.server.cipher_suite': 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:RC4-SHA:RC4-MD5:AES128-SHA:AES256-SHA:DES-CBC3-SHA!SRP:!DSS:!PSK:!aNULL:!eNULL:!SSLv2',
'proxy.config.ssl.server.session_ticket.enable': '1',
'proxy.config.exec_thread.autoconfig.scale': 1.0,
Expand Down
Loading

0 comments on commit b88f853

Please sign in to comment.