trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alan Carroll <solidwallofc...@oath.com>
Subject Re: Looking for opinions on additions to ssl_server_name.yaml
Date Mon, 19 Nov 2018 22:30:43 GMT
I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with
the special case of "tls-enable: all" where if it's not enabled, it's
disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case
the protocol levels are enabled by default.

On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs <shinrich@apache.org> wrote:

> We currently have the ability to turn off HTTP/2 support on a per domain
> basis via the disable_h2 option in ssl_server_name.yaml
>
>
> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html
>
> Folks have asked for a similar mechanism to not offer TLS protocols (e.g.
> 1.3) for specific domain names.  I can see use cases for adding or removing
> from the default in records.config for very new protocols (e.g. the phone
> app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some
> critical set top boxes can only use TLSv1.0).
>
> We could have a separate toggle for each protocol.  Directly mapping what
> is in records.config.
>
> - fqdn: bob.com
>   enable_tls_v1_3: true/false
>
> Or we could try to have a list entry
>
> -fqdn: bob.com
>   enable_tls_protocols:
>     - tls_v1_3
>     - tls_v1_2
>   disable_tls_protocols:
>     -tls_v1.0
>
> Please share your opinions.
>
>

-- 
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28

Mime
View raw message