trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Geffon <>
Subject Re: Origin SNI Value
Date Tue, 17 Jan 2017 22:06:00 GMT
That sounds like a bug and after looking through the code it does appear to

That's the wrong value to use since it never gets overwritten here:

Can you please file a bug?


On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <> wrote:


I currently have ATS configured to support a pristine host header.

   proxy.config.url_remap.pristine_host_hdr 1

I also have ATS configured to verify the origin server certificate.

   proxy.config.ssl.client.verify.server 1

My remap looks like this.


Because pristine is enabled, when ATS sends a request back to the origin,
it uses a SNI value of:

However, the origin returns a certificate that does not match the SNI.

Because the requested SNI and the returned CN/SAN do not match, coupled
with verify.server enabled, ATS terminates the origin session and sends a
502 back to the client.

Is there another control or configuration that allows me to define which
SNI value to
send back to the origin ?
I need to keep pristine enabled and I need verify.server enabled.

Thanks in advance.

View raw message