trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Phil Sorber <sor...@apache.org>
Subject Re: 4.2.0 SSL SNI compatibility ... (related to TS-2031)
Date Sat, 01 Feb 2014 20:29:52 GMT
On Sat, Feb 1, 2014 at 1:12 PM, Reindl Harald <h.reindl@thelounge.net>wrote:

>
>
> Am 01.02.2014 20:53, schrieb Leif Hedstrom:
> >> On Feb 1, 2014, at 11:54 AM, James Peach <jpeach@apache.org> wrote:
> >>
> >>> On Feb 1, 2014, at 7:37 AM, Leif Hedstrom <zwoop@apache.org> wrote:
> >>>
> >>> Hi all,
> >>>
> >>> I just upgraded to latest master, and noticed that our behavior has
> changed related to how certs are "negotiated". This is related to TS-2031 I
> believe.
> >>>
> >>> What it meant for me was that I had to reorder a couple of rules in
> ssl_multicert.config for the sites to work as expected. I'm sure this is a
> pretty unusual case, so I'm probably ok to just document this (visibly, in
> the v4.2.0 release) notes. But I'm interested to hear what others using SSL
> has to say about this? It technically does break backwards compatibility,
> since a config that used to work with v4.1.3 will not work with v4.2.0.
> >>>
> >>> Or should we play it safe, and move TS-2031 over to 5.0.x ?
> >>
> >> I'm not very clear on what happened; can you spell it out?
> >
> > I have two certs that matches www.ogre.com (one is is a wildcard).
> After this change, I have to reorder the two lines in the config, to get
> expected behavior
>
> i guess the non-wildcard on top to override the wildcard
> in other words: the more specific wins
> in that case -> go ahead -> perfect!
>
> not sure how the current behavior is, but if my guess is right
> i would even go so far and call it a well deserved bugfix
>
>
I think we all agree this is a bugfix that should go in, the issue is where
in the release process it should be. Is this making something functional
that was not before? Or is it just making the functionality more well
defined? I think what Leif and I are really trying to avoid here is any
unexpected behavior in a minor release that is going to be the LTS release.

Mime
View raw message