trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Reindl Harald <h.rei...@thelounge.net>
Subject Re: SNI AND ATS
Date Sun, 28 Sep 2014 17:31:14 GMT


Am 28.09.2014 um 19:29 schrieb Jason Strongman:
> bah.. it totally went over my head you can define multiple certificates to the 'ssl_cert_name'
param.
> 
> ssl_cert_name=FILENAME[,FILENAME ...]

for what reason?

you just tell ATS a list of certificates and based on
the SNI header and the CN they are presented to the client

> On Sun, Sep 28, 2014 at 12:24 PM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>
wrote:
> 
> 
>     Am 28.09.2014 um 19:15 schrieb Jason Strongman:
>     > When you say 'incoming' request, do you mean
>     >
>     > 1. client to ATS ?
>     > or
>     > 2. ATS to origin ?
>     >
>     > Based on my understanding of the multiple certificate documentation, to support
this configuration, ATS requires
>     > multiple IPs.
>     > Also based on my understanding, ATS does not support serving multiple certificates
if the TLS/SSL service only
>     > listens on one socket.
> 
>     no - the reason for SNI is to provide a hostname from the
>     client and ATS is choosing the correct certificate based
>     on that SNI name as well httpd does
> 
>     if you would need different IP's / sockets SNI would be pointless
>     the reason for SNI is that you need only one IP for multiple SSL sites
> 
>     hence MSIE on WinXP is not supported
> 
>     [root@testserver:~]$ cat /etc/trafficserver/ssl_multicert.config
>     ssl_cert_name=afi.testserver.rhsoft.net.pem
>     ssl_cert_name=contentlounge.testserver.rhsoft.net.pem
>     ssl_cert_name=mailadmin.testserver.rhsoft.net.pem
>     ssl_cert_name=rhsoft.testserver.rhsoft.net.pem
>     ssl_cert_name=testserver.rhsoft.net.pem
>     ssl_cert_name=uploadprogress.testserver.rhsoft.net.pem
>     ssl_cert_name=webmail.testserver.rhsoft.net.pem
> 
>     > On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>
>     <mailto:h.reindl@thelounge.net <mailto:h.reindl@thelounge.net>>> wrote:
>     >
>     >
>     >     Am 28.09.2014 um 18:24 schrieb Jason Strongman:
>     >     > Version - 4.2.1.1
>     >     > Mode - Reverse Proxy
>     >     >
>     >     > Objective: To support multiple SSL sites, each with their own certificate,
and only use one IP/Port.
>     >     > Does ATS support SNI for incoming requests as described in the below
links?
>     >
>     >     ATS supports *only* SNI for incoming requests


Mime
View raw message