trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Esmq <>
Subject Re:RE: ssl reverse proxy and ssl sni ?
Date Tue, 12 Mar 2013 09:52:11 GMT
ohh, i got it now~

i misunderstood the way that ats implement sni;

now i have successfully test the ssl sni.

with those config line in ssl_multicert.config:    ssl_cert_name=zyq.crt ssl_key_name=zyq.key    ssl_cert_name=zy2.crt ssl_key_name=zy2.key    ssl_cert_name=zy3.crt ssl_key_name=zy3.key

ats able to select the correct certificate to present to the client~

thanks all ^_^

At 2013-03-12 16:07:01,"Uri Shachar" <> wrote:

>    I'm not sure I understand what you are trying to achieve.
>If the ATS is acting as a terminating reverse proxy (which is what I guess you are trying
to achieve):
>Receiving an HTTPS request on port 443 (Straight TLS -- Not an HTTP CONNECT request),
terminating the SSL connection and creating a new SSL connection upstream.
>It needs to present some certificate to the client. The certificate it selects can be
configured via the ssl_multicert config file -- the one that you have attached tells the ATS
to use a single cert for all origin servers. If you want it to be able to display the cert
for site X then you need to copy the certificate to the proxy and configure it in the ssl_multicert.config....
>(You also need to ensure that your browser sends SNI information -- All modern ones do
except for IE over Windows XP)
>If this isn't clear, could you send a cURL request/response?
>            Cheers,
>                     Uri
>> Date: Tue, 12 Mar 2013 11:22:15 +0800 
>> From: 
>> To: 
>> Subject: Re:Re: ssl reverse proxy and ssl sni ? 
>> hi, Leif 
>> it seems does'nt work... following is my test config: 
>> ssl_multicert.config: 
>> dest_ip=*       ssl_cert_name=cert.pem ssl_key_name=key.pem 
>> records.config: 
>> CONFIG proxy.config.http.server_ports STRING 80 443:ssl 
>> remap.config: 
>> map https://.* https://$ 
>> with SNI and SSL Termination, i want when browser access  
>>, shows the certificate of; 
>> but the above configuration , show all the https sites the same  
>> certificate... 
>> i don't know wheather i misunderstand the sni and ssl termination, or  
>> the config is not correct~ 
>> At 2013-03-11 22:19:24, "Leif Hedstrom" <> wrote: 
>> If you run a version of ATS that supports SNI, yes. Pretty sure v3.2.4  
>> does, for example. 
>> -- Leif 
>> On Mar 11, 2013, at 4:00 AM, Esmq <<>>
>> hi, all 
>> we know that an extension to TLS called Server Name Indication (SNI)  
>> ,enable web server to select a correct virtual domain 
>> and shows the borwser the cerficate containing the correct name... 
>> apache/nginx just do the right thing... 
>> and i know when configure ats as ssl reverse proxy, the cerficated  
>> shows to the browser is the cerficate that on ats, not the cerficated  
>> on the original server... 
>> so. when ats act as reverse proxy, does sni work? 

View raw message