trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeremy Payne <jp557...@gmail.com>
Subject proxy.config.ssl.client.verify.server and hostname validation
Date Tue, 22 Sep 2015 15:02:49 GMT
In testing TLS connections to my origin complex, I noticed that ATS does
not validate the origin hostname against the server certificate CN/SAN
values.

I then looked at the ATS code that sets the TLS verify options, and noticed
there are no options or routines that validate hostname. So I assume this
confirms what I see in practice.

    client_verify_server = params->clientVerify ? SSL_VERIFY_PEER :
SSL_VERIFY_NONE;


Are there plans to add an ATS config option to also validate origin
hostname against the returned CN/SAN values?

Maybe something like.

 proxy.config.ssl.client.verify.server INT 2

Where 2 is peer + hostname validation

I suppose such a change would be somewhat straight forward if you have just
one layer of ATS servers talking to the origin. However if there are
intermediate ATS layers between edge and origin, then some provisions would
have to be made for edge to intermediate communications.

Mime
View raw message