trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <>
Subject Re: 4.2.0 SSL SNI compatibility ... (related to TS-2031)
Date Sat, 01 Feb 2014 15:55:20 GMT

what speaks agains having " ssl_ca_name=godaddy_ca_sha1.crt"
in "remap.config" optional and make "ssl_multicert.config" no longer mandatory but still possible?

map ssl_cert_name=s1.example.pem ssl_ca_name=ca.crt

Am 01.02.2014 16:49, schrieb Reindl Harald:
> Am 01.02.2014 16:37, schrieb Leif Hedstrom:
>> I just upgraded to latest master, and noticed that our behavior has changed related
to how certs are “negotiated”. This is related to TS-2031 I believe.
>> What it meant for me was that I had to reorder a couple of rules in ssl_multicert.config
for the sites to work as expected. I’m sure this is a pretty unusual case, so I’m probably
ok to just document this (visibly, in the v4.2.0 release) notes. But I’m interested to hear
what others using SSL has to say about this? It technically does break backwards compatibility,
since a config that used to work with v4.1.3 will not work with v4.2.0.
>> Or should we play it safe, and move TS-2031 over to 5.0.x?
> please elaborate the changes for "ssl_multicert.config"
> if the changes results in specify the hostnames explicit in "ssl_multicert.config"
> i would even support the change because i am not a big friend of magic if it
> comes to server-configurations, in case there are two certificates used valid for
> the same hostnames you are missing the control which hostname should use which cert
> that would also make it possible to have a default ssl host for client without
> SNI support - the first listed one like httpd does, i fear even after april
> there are too much clients staing on WinXP or Java6 which makes me a little worry
> __________________________________
> current config
> [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config
> ssl_ca_name=godaddy_ca_sha1.crt
> ssl_cert_name=wildcard.pem ssl_ca_name=godaddy_ca_sha256.crt
> __________________________________
> that's what i would dream about because that get's really interesting if you have
> a SHA1 and a SHA256 wildcard-certificate in the game and need to decide where to
> use which one which may depened on how many legacy clients a project expects
> [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config
> ssl_ca_name=godaddy_ca_sha1.crt
> ssl_cert_name=wildcard_sha256.pem ssl_ca_name=godaddy_ca_sha256.crt
> ssl_cert_name=wildcard_sha1.pem ssl_ca_name=godaddy_ca_sha1.crt

View raw message