trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Strongman <jasonstrongman2...@gmail.com>
Subject Re: SNI AND ATS
Date Sun, 28 Sep 2014 17:29:07 GMT
bah.. it totally went over my head you can define multiple certificates to
the 'ssl_cert_name' param.

ssl_cert_name=FILENAME[,FILENAME ...]

thanks for the push.



On Sun, Sep 28, 2014 at 12:24 PM, Reindl Harald <h.reindl@thelounge.net>
wrote:

>
> Am 28.09.2014 um 19:15 schrieb Jason Strongman:
> > When you say 'incoming' request, do you mean
> >
> > 1. client to ATS ?
> > or
> > 2. ATS to origin ?
> >
> > Based on my understanding of the multiple certificate documentation, to
> support this configuration, ATS requires
> > multiple IPs.
> > Also based on my understanding, ATS does not support serving multiple
> certificates if the TLS/SSL service only
> > listens on one socket.
>
> no - the reason for SNI is to provide a hostname from the
> client and ATS is choosing the correct certificate based
> on that SNI name as well httpd does
>
> if you would need different IP's / sockets SNI would be pointless
> the reason for SNI is that you need only one IP for multiple SSL sites
>
> hence MSIE on WinXP is not supported
>
> [root@testserver:~]$ cat /etc/trafficserver/ssl_multicert.config
> ssl_cert_name=afi.testserver.rhsoft.net.pem
> ssl_cert_name=contentlounge.testserver.rhsoft.net.pem
> ssl_cert_name=mailadmin.testserver.rhsoft.net.pem
> ssl_cert_name=rhsoft.testserver.rhsoft.net.pem
> ssl_cert_name=testserver.rhsoft.net.pem
> ssl_cert_name=uploadprogress.testserver.rhsoft.net.pem
> ssl_cert_name=webmail.testserver.rhsoft.net.pem
>
> > On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <h.reindl@thelounge.net
> <mailto:h.reindl@thelounge.net>> wrote:
> >
> >
> >     Am 28.09.2014 um 18:24 schrieb Jason Strongman:
> >     > Version - 4.2.1.1
> >     > Mode - Reverse Proxy
> >     >
> >     > Objective: To support multiple SSL sites, each with their own
> certificate, and only use one IP/Port.
> >     > Does ATS support SNI for incoming requests as described in the
> below links?
> >
> >     ATS supports *only* SNI for incoming requests
>
>

Mime
View raw message