Disable SSLv3

[nkinkade]

The ndt-server should probably disable SSLv3, as it's old and not considered fully secure.

$ curl -v3 -X HEAD https://ndt-iupui-mlab4-den04.measurement-lab.org:3010/
<snip>
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using SSLv3 / AES128-SH
<snip>

While NDT does not send any sensitive data, we may like to disabled this protocol simply as a matter of good form.

[pboothe]

Double-check that this is disabled on the new platform. Will not fix on the old platform.

[nkinkade]

@pboothe: Did we decide that we don't care about whether NDT (or other experiments) use old, insecure algorithms, since none of the data will be sensitive?

[pboothe]

The choice of TLS version supported by an experiment should be up to the experimenter. As long as platform services are up to date, then M-Lab should be happy. With the lone exception of NDT, because we took over that tool when it got abandoned.

I think that ndt-server should support old insecure versions of TLS. I don't think it should prefer them. I don't feel strongly enough about this to change the Go defaults myself, but I am definitely willing to review code that opens it up to more old algorithms. The old NDT server definitely supported encryption algorithms that people no longer recommend as secure, and that was fine because it did not transmit anything of importance. The bytes it transmitted were either random or publicly archived or both.

[nkinkade]

Sounds reasonable. This is a non-issue then. Closing.