trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miles Libbey <>
Subject Re: Looking for opinions on additions to ssl_server_name.yaml
Date Tue, 20 Nov 2018 00:18:44 GMT
On Mon, Nov 19, 2018 at 3:43 PM Susan Hinrichs <> wrote:
> Ok.  I didn't know how to do lists in yaml.

I think both of you are right for the yaml syntax
fruits: [apples, oranges, strawberries]
is equivalent yaml to
  - apples
  - oranges
  - strawberries

> I think you will still want to specify and enable list or a disable list depending on
the use case.  It is highly unlikely that you will want an "all" option.  Many of the old,
old protocols should never be enabled.

+1. Seems like whenever I've found a whitelist to be useful,
inevitably a blacklist has also become useful. (So, I'm +1 on the

I'm guessing the whitelist one would turn on that version for this
context regardless of the global; and similarly, if a version is *not*
mentioned in the whitelist, but on globally, it would be off for that

I think I'd follow the records.config names as much as possible --
TLSv1_1 (from "proxy.config.ssl.TLSv1_1").

> On Mon, Nov 19, 2018 at 4:31 PM Alan Carroll <> wrote:
>> I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with the special
case of "tls-enable: all" where if it's not enabled, it's disabled. Or, if separate flags,
"tls_1_3: enable/disable" in which case the protocol levels are enabled by default.
>> On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs <> wrote:
>>> We currently have the ability to turn off HTTP/2 support on a per domain basis
via the disable_h2 option in ssl_server_name.yaml
>>> Folks have asked for a similar mechanism to not offer TLS protocols (e.g. 1.3)
for specific domain names.  I can see use cases for adding or removing from the default in
records.config for very new protocols (e.g. the phone app for a domain doesn't handle TLSv1.3)
or very old protocols (e.g. some critical set top boxes can only use TLSv1.0).
>>> We could have a separate toggle for each protocol.  Directly mapping what is
in records.config.
>>> - fqdn:
>>>   enable_tls_v1_3: true/false
>>> Or we could try to have a list entry
>>> -fqdn:
>>>   enable_tls_protocols:
>>>     - tls_v1_3
>>>     - tls_v1_2
>>>   disable_tls_protocols:
>>>     -tls_v1.0
>>> Please share your opinions.
>> --
>> Beware the fisherman who's casting out his line in to a dried up riverbed.
>> Oh don't try to tell him 'cause he won't believe. Throw some bread to the ducks instead.
>> It's easier that way. - Genesis : Duke : VI 25-28

View raw message