Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 02DFD200BE0 for ; Wed, 9 Nov 2016 05:37:31 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id 016A2160B0A; Wed, 9 Nov 2016 04:37:31 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 73C38160B0C for ; Wed, 9 Nov 2016 05:37:30 +0100 (CET) Received: (qmail 8793 invoked by uid 500); 9 Nov 2016 04:37:29 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 8772 invoked by uid 99); 9 Nov 2016 04:37:29 -0000 Received: from mail-relay.apache.org (HELO mail-relay.apache.org) (140.211.11.15) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2016 04:37:29 +0000 Received: from [10.0.0.34] (c-24-23-136-16.hsd1.ca.comcast.net [24.23.136.16]) by mail-relay.apache.org (ASF Mail Server at mail-relay.apache.org) with ESMTPSA id EDB6F1A01D7; Wed, 9 Nov 2016 04:37:28 +0000 (UTC) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\)) Subject: Re: Configurations in ssl_multicert.config From: James Peach In-Reply-To: Date: Tue, 8 Nov 2016 20:37:28 -0800 Cc: users@trafficserver.apache.org Content-Transfer-Encoding: quoted-printable Message-Id: <4FDB4577-0633-4E92-B012-20E1CA5E7C83@apache.org> References: To: dev@trafficserver.apache.org X-Mailer: Apple Mail (2.3124) archived-at: Wed, 09 Nov 2016 04:37:31 -0000 > On Nov 8, 2016, at 1:17 PM, Leif Hedstrom wrote: >=20 > Hi all, >=20 > I know this has been discussed many times before, but it keeps coming = back to bite me in ugly ways. Right now, there=E2=80=99s no way (other = than plugin code) to make TLS behave differently based on the SSL = context (the line in ssl_multicert.config that matched the SNI or IP). = This is a real drag, and a serious shortcoming IMO. The way I see = things, ssl_mulitcert.config is to TLS as what remap.config is to HTTP, = but we don=E2=80=99t treat it as such for some reason. >=20 > So, what I need right now are two things, but I can see this getting = expanded in the future: >=20 > 1) Custom ALPN negotiation for a context (say, don=E2=80=99t allow H2 = on a cert) >=20 > 2) Custom TLS protocol settings for a context (say, turn off TLSv1.0 = on a cert) >=20 >=20 > So, something like this (just for show, not a proposal): >=20 > ssl_cert_name=3Dogre.crt ssl_key_name=3Dogre.key ssl_ca_name=3Dca.crt = protocols=3Dtlsv1.1,tlsv1.2 alpn=3Dh2,https >=20 >=20 > The settings in records.config then becomes global defaults for those = contexts which lack explicit rules. My thoughts on this are/were in = https://issues.apache.org/jira/browse/TS-2773. Allow all the SSL = configurations to be overridden per-certificate. This doesn=E2=80=99t = address client certificates, which are severely limited. Alternatively, = lua snippets ;) J