From users-return-8258-archive-asf-public=cust-asf.ponee.io@trafficserver.apache.org Sun Sep 13 15:25:12 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mxout1-he-de.apache.org (mxout1-he-de.apache.org [95.216.194.37]) by mx-eu-01.ponee.io (Postfix) with ESMTPS id 1154818063D for ; Sun, 13 Sep 2020 17:25:12 +0200 (CEST) Received: from mail.apache.org (mailroute1-lw-us.apache.org [207.244.88.153]) by mxout1-he-de.apache.org (ASF Mail Server at mxout1-he-de.apache.org) with SMTP id 37DCD62AF5 for ; Sun, 13 Sep 2020 15:25:11 +0000 (UTC) Received: (qmail 59313 invoked by uid 500); 13 Sep 2020 15:25:10 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 59303 invoked by uid 99); 13 Sep 2020 15:25:09 -0000 Received: from spamproc1-he-de.apache.org (HELO spamproc1-he-de.apache.org) (116.203.196.100) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 13 Sep 2020 15:25:09 +0000 Received: from localhost (localhost [127.0.0.1]) by spamproc1-he-de.apache.org (ASF Mail Server at spamproc1-he-de.apache.org) with ESMTP id 2D65F1FF42E for ; Sun, 13 Sep 2020 15:25:09 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamproc1-he-de.apache.org X-Spam-Flag: NO X-Spam-Score: 0 X-Spam-Level: X-Spam-Status: No, score=0 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.2, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=disabled Authentication-Results: spamproc1-he-de.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=verizonmedia.com Received: from mx1-he-de.apache.org ([116.203.227.195]) by localhost (spamproc1-he-de.apache.org [116.203.196.100]) (amavisd-new, port 10024) with ESMTP id JRjNGel_XRBc for ; Sun, 13 Sep 2020 15:25:08 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=2a00:1450:4864:20::531; helo=mail-ed1-x531.google.com; envelope-from=solidwallofcode@verizonmedia.com; receiver= Received: from mail-ed1-x531.google.com (mail-ed1-x531.google.com [IPv6:2a00:1450:4864:20::531]) by mx1-he-de.apache.org (ASF Mail Server at mx1-he-de.apache.org) with ESMTPS id AD4977F981 for ; Sun, 13 Sep 2020 15:25:08 +0000 (UTC) Received: by mail-ed1-x531.google.com with SMTP id q21so15189920edv.1 for ; Sun, 13 Sep 2020 08:25:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verizonmedia.com; s=google; h=mime-version:from:date:message-id:subject:to; bh=PtQ6Lw2Dwk+f0mkj8pJflRKR4cMkvU4uMnszR4sYxJI=; b=fZLqk91e32NWhPIEPJ6hQd8qIb+2wL0lixH6T7jyj0ark48DXPleFvPihApRG9o7bO /ar0SNpZrsZ6uuRt6/wBo3bruY1THolhvXZGaNRiuPkzGqpzm4ewk2fJCfP3mUxDC+lZ nvTN8W6mSnFM3GgtdVk2wWx/zQd28B5bU9WvUkpGfmyjasjr0IbwxHYqMkwy52lgvW7E z6kwSq0UuffhYcjS6vgb6YDYyBhzmJjDQqxz+6ofvhybQLflntJLIKpMs+YEc5K5d86o pO5IUxzL+soXhtNPMniX4i7jWG9myKLgLTHlfsjt96BjDurjxzzjs48rJFU/xQDIh75G rwsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=PtQ6Lw2Dwk+f0mkj8pJflRKR4cMkvU4uMnszR4sYxJI=; b=nGvs/VnDxdkaDYjGqJ0ZqPN4A13P6HYjO3KVMCjsgULmBmNF1xicIXZIum/SMNHdUq j+jPXRlA95reO/KvRseUEBoKRMRCJ/R0L4x5ul4ApLPvLO1OiLOVK7GzM0BAyWauk3u3 nhvyTMoGCsPPmSJB2QFEXHpe3ek9ls1bmXH+K2BawClQ92ghyv8TqTbG4FpSpe3IzZm/ NFtu8v7wYiVgo9eUDrPaOkLZP0E4FsX4uiDE1edUKcMiZOac+YpO3LhIjbMvT96NPnrW oUT47m37lESH5+dv0T9NSuZfsG18rVBNHKF9NsvsmZhJ09q4zg4BE5t46qSJX7BvDJbx kVfA== X-Gm-Message-State: AOAM533A6tjjfiqX5V+AcqDZIIQ0hJ61Muioq4+cP429ksalpaW0nJtH P0D8Op1tlgok/OTaQ30usZz0O+2BWISQv53w38p3o3ll8oJu/g== X-Google-Smtp-Source: ABdhPJwzF9ZNqSSkUnFLmFv27fV5VtoxzF78ttIusN2dH9/CZlI4U8aJ6ThTuFaq7UGyTjN9ByfkJqceHEI+yvrq6XY= X-Received: by 2002:aa7:da16:: with SMTP id r22mr13453474eds.132.1600010701787; Sun, 13 Sep 2020 08:25:01 -0700 (PDT) MIME-Version: 1.0 From: Alan Carroll Date: Sun, 13 Sep 2020 10:24:50 -0500 Message-ID: Subject: [CONFIG] proxy.config.ssl.client.sni_policy To: users@trafficserver.apache.org Content-Type: multipart/alternative; boundary="0000000000008480f305af338556" --0000000000008480f305af338556 Content-Type: text/plain; charset="UTF-8" I have put up a PR, 7188, which changes proxy.config.ssl.client.sni_policy to allow setting the outbound SNI literally. This is of marginal at best utility in "records.config" but is very useful for plugins such as Transaction Box or conf_remap - these would now be able to explicitly set the outbound SNI, rather than only indirectly influencing it via the request URL or Host field. Internally this comes up because of a layer of upstream ATS instances that are used for routing. To route correctly the Host field must be set, but currently doing so causes the SNI to also be set to that value which breaks certificate verification. The host can't be set in the request URL because ATS *agressively* strips the host, which is something else I would like to fix in the future. Setting the SNI to the pre-remap host via this mechanism makes it easy to fix. --0000000000008480f305af338556 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
I have put up a PR, 7188, which changes proxy.config.ssl.c= lient.sni_policy to allow setting the outbound SNI literally.=C2=A0 This is= of marginal at best utility in "records.config" but is very usef= ul for plugins such as Transaction Box or conf_remap - these would now be a= ble to explicitly set the outbound SNI, rather than only indirectly influen= cing it via the request URL or Host field.

Internally th= is comes up because of a layer of upstream ATS instances=C2=A0that are used= for routing.=C2=A0 To route correctly the Host field must be set, but curr= ently doing so causes the SNI to also be set to that value which breaks cer= tificate verification. The host can't be set in the request URL because= ATS *agressively* strips the host, which is something else I would like to= fix in the future. Setting the SNI to the pre-remap host via this mechanis= m makes it easy to fix.
--0000000000008480f305af338556--