From 270241405fe6706f6baf1b306620bf9d41da4bf8 Mon Sep 17 00:00:00 2001 From: Leif Hedstrom Date: Fri, 10 Apr 2020 14:15:23 -0600 Subject: [PATCH 1/2] Adds important config notes for TLS v1/1.1 --- doc/admin-guide/files/records.config.en.rst | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 2ddd6551f3f..070803780ea 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -3233,11 +3233,18 @@ SSL Termination .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 0 - Enables (``1``) or disables (``0``) TLSv1.0. + Enables (``1``) or disables (``0``) TLSv1.0. If not specified, disabled by default. .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 0 - Enables (``1``) or disables (``0``) TLS v1.1. If not specified, enabled by default. [Requires OpenSSL v1.0.1 and higher] + Enables (``1``) or disables (``0``) TLS v1.1. If not specified, disabled by default. [Requires OpenSSL v1.0.1 and higher] + +.. note:: + In order to enable TLS v1 or v1.1, additional ciphers must be added to proxy.config.ssl.client.cipher_suite. For + example this list would restore the SHA1 (insecure!) cipher suites suitable for these deprecates TLS versions: + + ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA + .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1 From 6182cfb8ec1ea379caaa2667f89493194c6e5e28 Mon Sep 17 00:00:00 2001 From: Leif Hedstrom Date: Fri, 10 Apr 2020 16:02:45 -0600 Subject: [PATCH 2/2] Fix typo --- doc/admin-guide/files/records.config.en.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/doc/admin-guide/files/records.config.en.rst b/doc/admin-guide/files/records.config.en.rst index 070803780ea..2290ab85728 100644 --- a/doc/admin-guide/files/records.config.en.rst +++ b/doc/admin-guide/files/records.config.en.rst @@ -3241,7 +3241,7 @@ SSL Termination .. note:: In order to enable TLS v1 or v1.1, additional ciphers must be added to proxy.config.ssl.client.cipher_suite. For - example this list would restore the SHA1 (insecure!) cipher suites suitable for these deprecates TLS versions: + example this list would restore the SHA1 (insecure!) cipher suites suitable for these deprecated TLS versions: ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA