trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susan Hinrichs <shinr...@oath.com>
Subject Re: Looking for opinions on additions to ssl_server_name.yaml
Date Mon, 19 Nov 2018 23:43:29 GMT
Ok.  I didn't know how to do lists in yaml.  I think you will still want to
specify and enable list or a disable list depending on the use case.  It is
highly unlikely that you will want an "all" option.  Many of the old, old
protocols should never be enabled.

On Mon, Nov 19, 2018 at 4:31 PM Alan Carroll <solidwallofcode@oath.com>
wrote:

> I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with
> the special case of "tls-enable: all" where if it's not enabled, it's
> disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case
> the protocol levels are enabled by default.
>
> On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs <shinrich@apache.org>
> wrote:
>
>> We currently have the ability to turn off HTTP/2 support on a per domain
>> basis via the disable_h2 option in ssl_server_name.yaml
>>
>>
>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html
>>
>> Folks have asked for a similar mechanism to not offer TLS protocols (e.g.
>> 1.3) for specific domain names.  I can see use cases for adding or removing
>> from the default in records.config for very new protocols (e.g. the phone
>> app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some
>> critical set top boxes can only use TLSv1.0).
>>
>> We could have a separate toggle for each protocol.  Directly mapping what
>> is in records.config.
>>
>> - fqdn: bob.com
>>   enable_tls_v1_3: true/false
>>
>> Or we could try to have a list entry
>>
>> -fqdn: bob.com
>>   enable_tls_protocols:
>>     - tls_v1_3
>>     - tls_v1_2
>>   disable_tls_protocols:
>>     -tls_v1.0
>>
>> Please share your opinions.
>>
>>
>
> --
> *Beware the fisherman who's casting out his line in to a dried up
> riverbed.*
> *Oh don't try to tell him 'cause he won't believe. Throw some bread to the
> ducks instead.*
> *It's easier that way. *- Genesis : Duke : VI 25-28
>

Mime
View raw message