trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: SNI AND ATS
Date Sun, 28 Sep 2014 17:24:41 GMT

Am 28.09.2014 um 19:15 schrieb Jason Strongman:
> When you say 'incoming' request, do you mean
> 
> 1. client to ATS ?
> or
> 2. ATS to origin ?
> 
> Based on my understanding of the multiple certificate documentation, to support this
configuration, ATS requires
> multiple IPs.
> Also based on my understanding, ATS does not support serving multiple certificates if
the TLS/SSL service only
> listens on one socket.

no - the reason for SNI is to provide a hostname from the
client and ATS is choosing the correct certificate based
on that SNI name as well httpd does

if you would need different IP's / sockets SNI would be pointless
the reason for SNI is that you need only one IP for multiple SSL sites

hence MSIE on WinXP is not supported

[root@testserver:~]$ cat /etc/trafficserver/ssl_multicert.config
ssl_cert_name=afi.testserver.rhsoft.net.pem
ssl_cert_name=contentlounge.testserver.rhsoft.net.pem
ssl_cert_name=mailadmin.testserver.rhsoft.net.pem
ssl_cert_name=rhsoft.testserver.rhsoft.net.pem
ssl_cert_name=testserver.rhsoft.net.pem
ssl_cert_name=uploadprogress.testserver.rhsoft.net.pem
ssl_cert_name=webmail.testserver.rhsoft.net.pem

> On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
> 
> 
>     Am 28.09.2014 um 18:24 schrieb Jason Strongman:
>     > Version - 4.2.1.1
>     > Mode - Reverse Proxy
>     >
>     > Objective: To support multiple SSL sites, each with their own certificate, and
only use one IP/Port.
>     > Does ATS support SNI for incoming requests as described in the below links?
> 
>     ATS supports *only* SNI for incoming requests


Mime
View raw message