trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Susan Hinrichs <shinr...@apache.org>
Subject Looking for opinions on additions to ssl_server_name.yaml
Date Mon, 19 Nov 2018 22:10:49 GMT
We currently have the ability to turn off HTTP/2 support on a per domain
basis via the disable_h2 option in ssl_server_name.yaml

https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html

Folks have asked for a similar mechanism to not offer TLS protocols (e.g.
1.3) for specific domain names.  I can see use cases for adding or removing
from the default in records.config for very new protocols (e.g. the phone
app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some
critical set top boxes can only use TLSv1.0).

We could have a separate toggle for each protocol.  Directly mapping what
is in records.config.

- fqdn: bob.com
  enable_tls_v1_3: true/false

Or we could try to have a list entry

-fqdn: bob.com
  enable_tls_protocols:
    - tls_v1_3
    - tls_v1_2
  disable_tls_protocols:
    -tls_v1.0

Please share your opinions.

Mime
View raw message