trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Leif Hedstrom <>
Subject Configurations in ssl_multicert.config
Date Tue, 08 Nov 2016 21:17:22 GMT
Hi all,

I know this has been discussed many times before, but it keeps coming back to bite me in ugly
ways. Right now, there’s no way (other than plugin code) to make TLS behave differently
based on the SSL context (the line in ssl_multicert.config that matched the SNI or IP). This
is a real drag, and a serious shortcoming IMO. The way I see things, ssl_mulitcert.config
is to TLS as what remap.config is to HTTP, but we don’t treat it as such for some reason.

So, what I need right now are two things, but I can see this getting expanded in the future:

1) Custom ALPN negotiation for a context (say, don’t allow H2 on a cert)

2) Custom TLS protocol settings for a context (say, turn off TLSv1.0 on a cert)

So, something like this (just for show, not a proposal):

   ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=ca.crt protocols=tlsv1.1,tlsv1.2

The settings in records.config then becomes global defaults for those contexts which lack
explicit rules.

And discuss.

— leif

View raw message