Zeus 10 adds a new feature that ONLY allows renegotiation from RFC 5746 clients, which should resolve the endless waves of bugs about Firefox warning users that we support unsafe renegotiations (which we don't - it's just that Zeus permits safe renegotiations OUTSIDE of rfc 5746, which Firefox doesn't understand). So let's switch to that mode once we deploy Zeus 10. I verified on our test 10.x cluster that this results in "Secure Renegotiation: Supported" at SSLLabs. It's a global setting that should have no impact whatsoever on clients.
:ulfr/:michal`, this is set on the 184.108.40.206:443 testing VIP and passes SSLLabs ("A", except for CN mismatch) so token sec-review? before we do this.
Changed from "Allow safe renegotiation" to "RFC 5746 only" mode on PHX1 Internal, already enabled on SCL3 Internal. Changed from "Do not allow" to "RFC 5746 only" mode on PHX1 External, SCL3 External.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
clearing stale sec-review flag for :ulfr
You need to log in before you can comment on or make changes to this bug.