trafficserver-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Peach <jamespe...@me.com>
Subject Re: HTTPS traffic (not SSL termination)
Date Wed, 06 Feb 2013 17:03:22 GMT

On Feb 6, 2013, at 7:21 AM, Leif Hedstrom <zwoop@apache.org> wrote:

> On 2/6/13 12:35 AM, oksana fishman wrote:
>> I can see a certificate, for example.
>> How https traffic can be seen by ATS plugin?
> 
> You mean the SSL handshake? That would be Layer 5, not Layer 7 (HTTPS). I don't think
we expose any APIs for a plugin to intercept or participate in the handshake, but James would
know better.

I guess that I'm still not totally clear about what is needed here. The only way I can think
of to see SSL-encapsulated traffic without terminating the SSL channel is to write a plugin
that does TCP pass through. You could easily write a simple protocol plugin that is able to
examine the clear-text portions of the SSL handshake.

If you want to terminate SSL and do something with that, then you can use TSNetAcceptNamedProtocol()
or TSPortDescriptorAccept(). Both of these are really intended for writing protocol plugins.
TSNetAcceptNamedProtocol() lets you accept a connection based on a NPN (http://en.wikipedia.org/wiki/Next_Protocol_Negotiation)
name. TSPortDescriptorAccept() lets you accept a connection on a socket that is described
by a port descriptor string (ie. the format that records.config uses).

If you want to terminate HTTPS and examine the SSL parameters of the underlying session, we
don't currently have any APIs to do that. There has been some interest in exposing that information
(https://issues.apache.org/jira/browse/TS-1584), however I would like to add an API that is
more general than that proposal. Please add your comments to that bug if this is your area
of interest.

J

Mime
View raw message