trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jpe...@apache.org>
Subject Re: Configurations in ssl_multicert.config
Date Wed, 09 Nov 2016 04:37:28 GMT

> On Nov 8, 2016, at 1:17 PM, Leif Hedstrom <zwoop@apache.org> wrote:
> 
> Hi all,
> 
> I know this has been discussed many times before, but it keeps coming back to bite me
in ugly ways. Right now, there’s no way (other than plugin code) to make TLS behave differently
based on the SSL context (the line in ssl_multicert.config that matched the SNI or IP). This
is a real drag, and a serious shortcoming IMO. The way I see things, ssl_mulitcert.config
is to TLS as what remap.config is to HTTP, but we don’t treat it as such for some reason.
> 
> So, what I need right now are two things, but I can see this getting expanded in the
future:
> 
> 1) Custom ALPN negotiation for a context (say, don’t allow H2 on a cert)
> 
> 2) Custom TLS protocol settings for a context (say, turn off TLSv1.0 on a cert)
> 
> 
> So, something like this (just for show, not a proposal):
> 
>   ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=ca.crt protocols=tlsv1.1,tlsv1.2
alpn=h2,https
> 
> 
> The settings in records.config then becomes global defaults for those contexts which
lack explicit rules.

My thoughts on this are/were in https://issues.apache.org/jira/browse/TS-2773. Allow all the
SSL configurations to be overridden per-certificate. This doesn’t address client certificates,
which are severely limited. Alternatively, lua snippets ;)

J


Mime
View raw message