trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Geffon <briangef...@gmail.com>
Subject Re: Origin SNI Value
Date Tue, 17 Jan 2017 22:06:00 GMT
That sounds like a bug and after looking through the code it does appear to
be:

https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5046

That's the wrong value to use since it never gets overwritten here:

https://github.com/apache/trafficserver/blob/master/proxy/http/remap/RemapProcessor.cc#L242

Can you please file a bug?

Brian

On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <jp557198@gmail.com> wrote:

Hello,



I currently have ATS configured to support a pristine host header.

   proxy.config.url_remap.pristine_host_hdr 1

I also have ATS configured to verify the origin server certificate.

   proxy.config.ssl.client.verify.server 1

My remap looks like this.

   map https://edge.abc.com/ https://origin.xyz.com/


Because pristine is enabled, when ATS sends a request back to the origin,
it uses a SNI value of:

     edge.abc.com

However, the origin returns a certificate that does not match the SNI.

Because the requested SNI and the returned CN/SAN do not match, coupled
with verify.server enabled, ATS terminates the origin session and sends a
502 back to the client.

Is there another control or configuration that allows me to define which
SNI value to
send back to the origin ?
I need to keep pristine enabled and I need verify.server enabled.

Thanks in advance.

Mime
View raw message