Got it, so we need something like 

CONFIG proxy.config.ssl.server.* 

parameters?

Thanks
Adi

On Wed, Jul 6, 2016 at 3:37 PM, James Peach <jpeach@apache.org> wrote:

> On Jul 6, 2016, at 3:31 PM, Adi Mallikarjuna Reddy V <adimallikarjunareddy@gmail.com> wrote:
>
> I think that explains the behavior.
>
> Then  why do we have two flags?
> CONFIG proxy.config.ssl.TLSv1 and CONFIG proxy.config.ssl.client.TLSv1

This was added in https://issues.apache.org/jira/browse/TS-2924.

> https://github.com/apache/trafficserver/blob/master/iocore/net/SSLConfig.cc#L183
>
> On Wed, Jul 6, 2016 at 3:27 PM, James Peach <jpeach@apache.org> wrote:
>
> > On Jul 6, 2016, at 3:18 PM, Adi Mallikarjuna Reddy V <adimallikarjunareddy@gmail.com> wrote:
> >
> > When I turn off tls1 with
> > CONFIG proxy.config.ssl.TLSv1 INT 0
> > I see
> > openssl s_client -debug -connect example.net:443 -tls1
> > Fails as expected, but connection to origin also fails with 502 code. Browser sees 502 success.
> >
> > This is when I started looking at the other flags to see if turning off tls1 at ATS affects connection to origin also.
>
> Ah I see. It looks like proxy.config.ssl.TLSv1 is applied to both client and server TLS sessions. Can you please file a bug? AFAICT it has always been like this, but it doesn't really make sense imho ...
>
> > Thanks
> > Adi
> >
> > On Wednesday, July 6, 2016, James Peach <jpeach@apache.org> wrote:
> >
> > > On Jul 6, 2016, at 2:28 PM, Adi Mallikarjuna Reddy V <adimallikarjunareddy@gmail.com> wrote:
> > >
> > > we are trying to do
> > >
> > > map https://foo.com https://origin.foo.com
> > >
> > > where foo.com has TLSv1 disabled and origin.foo.com has TLS1 enabled.
> > >
> > > To achieve this I am trying to set
> > > CONFIG proxy.config.ssl.TLSv1 INT 0
> > > and
> > > CONFIG proxy.config.ssl.client.TLSv1 INT 1
> > >
> > > Ideally this should make browser to ATS connection with TLS1.1 or TLS1.2 and ATS to origin on TLS1/TLS1.1/TLS1.2.
> > >
> > >
> > > It's not working as expected.
> >
> > What is the behaviour you are seeing?
> >
> > I turned off proxy.config.ssl.TLSv1, and the following fails as expected
> >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1 -no_tls1_2
> >
> > However OpenSSL sends a 1.0 handshake if I do this:
> >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1
> >
> > I have to explicitly enable 1.2:
> >         $ openssl s_client -debug -connect example.net:443 -no_tls1_1 -tls1_2
> >
> > J
> >
> >
> > --
> > Sent from Mobile
>
>