I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with
the special case of "tls-enable: all" where if it's not enabled, it's
disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case
the protocol levels are enabled by default.
On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs <shinrich@apache.org> wrote:
> We currently have the ability to turn off HTTP/2 support on a per domain
> basis via the disable_h2 option in ssl_server_name.yaml
>
>
> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html
>
> Folks have asked for a similar mechanism to not offer TLS protocols (e.g.
> 1.3) for specific domain names. I can see use cases for adding or removing
> from the default in records.config for very new protocols (e.g. the phone
> app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some
> critical set top boxes can only use TLSv1.0).
>
> We could have a separate toggle for each protocol. Directly mapping what
> is in records.config.
>
> - fqdn: bob.com
> enable_tls_v1_3: true/false
>
> Or we could try to have a list entry
>
> -fqdn: bob.com
> enable_tls_protocols:
> - tls_v1_3
> - tls_v1_2
> disable_tls_protocols:
> -tls_v1.0
>
> Please share your opinions.
>
>
--
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28
|