trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Adi Mallikarjuna Reddy V <adimallikarjunare...@gmail.com>
Subject Re: SSL Protocol specific to client and server
Date Wed, 06 Jul 2016 22:41:51 GMT
Got it, so we need something like

CONFIG proxy.config.ssl.*server*.*

parameters?

Thanks
Adi

On Wed, Jul 6, 2016 at 3:37 PM, James Peach <jpeach@apache.org> wrote:

>
> > On Jul 6, 2016, at 3:31 PM, Adi Mallikarjuna Reddy V <
> adimallikarjunareddy@gmail.com> wrote:
> >
> > I think that explains the behavior.
> >
> > Then  why do we have two flags?
> > CONFIG proxy.config.ssl.TLSv1 and CONFIG proxy.config.ssl.client.TLSv1
>
> This was added in https://issues.apache.org/jira/browse/TS-2924.
>
> >
> https://github.com/apache/trafficserver/blob/master/iocore/net/SSLConfig.cc#L183
> >
> > On Wed, Jul 6, 2016 at 3:27 PM, James Peach <jpeach@apache.org> wrote:
> >
> > > On Jul 6, 2016, at 3:18 PM, Adi Mallikarjuna Reddy V <
> adimallikarjunareddy@gmail.com> wrote:
> > >
> > > When I turn off tls1 with
> > > CONFIG proxy.config.ssl.TLSv1 INT 0
> > > I see
> > > openssl s_client -debug -connect example.net:443 -tls1
> > > Fails as expected, but connection to origin also fails with 502 code.
> Browser sees 502 success.
> > >
> > > This is when I started looking at the other flags to see if turning
> off tls1 at ATS affects connection to origin also.
> >
> > Ah I see. It looks like proxy.config.ssl.TLSv1 is applied to both client
> and server TLS sessions. Can you please file a bug? AFAICT it has always
> been like this, but it doesn't really make sense imho ...
> >
> > > Thanks
> > > Adi
> > >
> > > On Wednesday, July 6, 2016, James Peach <jpeach@apache.org> wrote:
> > >
> > > > On Jul 6, 2016, at 2:28 PM, Adi Mallikarjuna Reddy V <
> adimallikarjunareddy@gmail.com> wrote:
> > > >
> > > > we are trying to do
> > > >
> > > > map https://foo.com https://origin.foo.com
> > > >
> > > > where foo.com has TLSv1 disabled and origin.foo.com has TLS1
> enabled.
> > > >
> > > > To achieve this I am trying to set
> > > > CONFIG proxy.config.ssl.TLSv1 INT 0
> > > > and
> > > > CONFIG proxy.config.ssl.client.TLSv1 INT 1
> > > >
> > > > Ideally this should make browser to ATS connection with TLS1.1 or
> TLS1.2 and ATS to origin on TLS1/TLS1.1/TLS1.2.
> > > >
> > > >
> > > > It's not working as expected.
> > >
> > > What is the behaviour you are seeing?
> > >
> > > I turned off proxy.config.ssl.TLSv1, and the following fails as
> expected
> > >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1
> -no_tls1_2
> > >
> > > However OpenSSL sends a 1.0 handshake if I do this:
> > >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1
> > >
> > > I have to explicitly enable 1.2:
> > >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1
> -tls1_2
> > >
> > > J
> > >
> > >
> > > --
> > > Sent from Mobile
> >
> >
>
>

Mime
View raw message