trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miles Libbey <mlib...@apache.org>
Subject Re: Looking for opinions on additions to ssl_server_name.yaml
Date Tue, 20 Nov 2018 00:18:44 GMT
On Mon, Nov 19, 2018 at 3:43 PM Susan Hinrichs <shinrich@oath.com> wrote:
>
> Ok.  I didn't know how to do lists in yaml.

I think both of you are right for the yaml syntax
fruits: [apples, oranges, strawberries]
is equivalent yaml to
fruits:
  - apples
  - oranges
  - strawberries


> I think you will still want to specify and enable list or a disable list depending on
the use case.  It is highly unlikely that you will want an "all" option.  Many of the old,
old protocols should never be enabled.

+1. Seems like whenever I've found a whitelist to be useful,
inevitably a blacklist has also become useful. (So, I'm +1 on the
lists)

I'm guessing the whitelist one would turn on that version for this
context regardless of the global; and similarly, if a version is *not*
mentioned in the whitelist, but on globally, it would be off for that
context.

I think I'd follow the records.config names as much as possible --
TLSv1_1 (from "proxy.config.ssl.TLSv1_1").
miles

> On Mon, Nov 19, 2018 at 4:31 PM Alan Carroll <solidwallofcode@oath.com> wrote:
>>
>> I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with the special
case of "tls-enable: all" where if it's not enabled, it's disabled. Or, if separate flags,
"tls_1_3: enable/disable" in which case the protocol levels are enabled by default.
>>
>> On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs <shinrich@apache.org> wrote:
>>>
>>> We currently have the ability to turn off HTTP/2 support on a per domain basis
via the disable_h2 option in ssl_server_name.yaml
>>>
>>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html
>>>
>>> Folks have asked for a similar mechanism to not offer TLS protocols (e.g. 1.3)
for specific domain names.  I can see use cases for adding or removing from the default in
records.config for very new protocols (e.g. the phone app for a domain doesn't handle TLSv1.3)
or very old protocols (e.g. some critical set top boxes can only use TLSv1.0).
>>>
>>> We could have a separate toggle for each protocol.  Directly mapping what is
in records.config.
>>>
>>> - fqdn: bob.com
>>>   enable_tls_v1_3: true/false
>>>
>>> Or we could try to have a list entry
>>>
>>> -fqdn: bob.com
>>>   enable_tls_protocols:
>>>     - tls_v1_3
>>>     - tls_v1_2
>>>   disable_tls_protocols:
>>>     -tls_v1.0
>>>
>>> Please share your opinions.
>>>
>>
>>
>> --
>> Beware the fisherman who's casting out his line in to a dried up riverbed.
>> Oh don't try to tell him 'cause he won't believe. Throw some bread to the ducks instead.
>> It's easier that way. - Genesis : Duke : VI 25-28

Mime
View raw message