trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <zw...@apache.org>
Subject Re: Origin SNI Value
Date Thu, 19 Jan 2017 02:09:59 GMT
I think we ran into just this same problem. Gancho, what was the solution?

-- Leif 

> On Jan 17, 2017, at 3:06 PM, Brian Geffon <briangeffon@gmail.com> wrote:
> 
> That sounds like a bug and after looking through the code it does appear to be:
> 
> https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5046
> 
> That's the wrong value to use since it never gets overwritten here:
> 
> https://github.com/apache/trafficserver/blob/master/proxy/http/remap/RemapProcessor.cc#L242
> 
> Can you please file a bug?
> 
> Brian
> 
> On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp557198@gmail.com> wrote:
> Hello,
> 
> 
> 
> I currently have ATS configured to support a pristine host header.
> 
>    proxy.config.url_remap.pristine_host_hdr 1
> 
> I also have ATS configured to verify the origin server certificate.
> 
>    proxy.config.ssl.client.verify.server 1
> 
> My remap looks like this.
> 
>    map https://edge.abc.com/ https://origin.xyz.com/
> 
> 
> Because pristine is enabled, when ATS sends a request back to the origin, it uses a SNI
value of:
> 
>      edge.abc.com
> 
> However, the origin returns a certificate that does not match the SNI.
> 
> Because the requested SNI and the returned CN/SAN do not match, coupled with verify.server
enabled, ATS terminates the origin session and sends a 502 back to the client.
> 
> Is there another control or configuration that allows me to define which SNI value to

> send back to the origin ?  
> I need to keep pristine enabled and I need verify.server enabled. 
> 
> Thanks in advance. 

Mime
View raw message