trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: SSL Protocol specific to client and server
Date Wed, 06 Jul 2016 22:37:40 GMT

> On Jul 6, 2016, at 3:31 PM, Adi Mallikarjuna Reddy V <adimallikarjunareddy@gmail.com>
wrote:
> 
> I think that explains the behavior. 
> 
> Then  why do we have two flags?
> CONFIG proxy.config.ssl.TLSv1 and CONFIG proxy.config.ssl.client.TLSv1

This was added in https://issues.apache.org/jira/browse/TS-2924.

> https://github.com/apache/trafficserver/blob/master/iocore/net/SSLConfig.cc#L183
> 
> On Wed, Jul 6, 2016 at 3:27 PM, James Peach <jpeach@apache.org> wrote:
> 
> > On Jul 6, 2016, at 3:18 PM, Adi Mallikarjuna Reddy V <adimallikarjunareddy@gmail.com>
wrote:
> >
> > When I turn off tls1 with
> > CONFIG proxy.config.ssl.TLSv1 INT 0
> > I see
> > openssl s_client -debug -connect example.net:443 -tls1
> > Fails as expected, but connection to origin also fails with 502 code. Browser sees
502 success.
> >
> > This is when I started looking at the other flags to see if turning off tls1 at
ATS affects connection to origin also.
> 
> Ah I see. It looks like proxy.config.ssl.TLSv1 is applied to both client and server TLS
sessions. Can you please file a bug? AFAICT it has always been like this, but it doesn't really
make sense imho ...
> 
> > Thanks
> > Adi
> >
> > On Wednesday, July 6, 2016, James Peach <jpeach@apache.org> wrote:
> >
> > > On Jul 6, 2016, at 2:28 PM, Adi Mallikarjuna Reddy V <adimallikarjunareddy@gmail.com>
wrote:
> > >
> > > we are trying to do
> > >
> > > map https://foo.com https://origin.foo.com
> > >
> > > where foo.com has TLSv1 disabled and origin.foo.com has TLS1 enabled.
> > >
> > > To achieve this I am trying to set
> > > CONFIG proxy.config.ssl.TLSv1 INT 0
> > > and
> > > CONFIG proxy.config.ssl.client.TLSv1 INT 1
> > >
> > > Ideally this should make browser to ATS connection with TLS1.1 or TLS1.2 and
ATS to origin on TLS1/TLS1.1/TLS1.2.
> > >
> > >
> > > It's not working as expected.
> >
> > What is the behaviour you are seeing?
> >
> > I turned off proxy.config.ssl.TLSv1, and the following fails as expected
> >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1 -no_tls1_2
> >
> > However OpenSSL sends a 1.0 handshake if I do this:
> >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1
> >
> > I have to explicitly enable 1.2:
> >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1 -tls1_2
> >
> > J
> >
> >
> > --
> > Sent from Mobile
> 
> 


Mime
View raw message