You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/05/13 20:10:01 UTC

[jira] [Updated] (TS-3599) Multiple dest_ip=* directives has unpredictable behavior in ssl_multicert.config

     [ https://issues.apache.org/jira/browse/TS-3599?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Leif Hedstrom updated TS-3599:
------------------------------
    Fix Version/s: 6.0.0

> Multiple dest_ip=* directives has unpredictable behavior in ssl_multicert.config
> --------------------------------------------------------------------------------
>
>                 Key: TS-3599
>                 URL: https://issues.apache.org/jira/browse/TS-3599
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Leif Hedstrom
>             Fix For: 6.0.0
>
>
> If I create an ssl_multicert.config with e.g.
> {code}
> dest_ip=* ssl_key_name=foo.key ssl_cert_name=foo.crt
> dest_ip=* ssl_key_name=bar.key ssl_cert_name=bar.crt
> {code}
> Then even with an SNI enabled client, which uses SNI in the TLS handshake, ATS seems to arbitrarily pick a cert. This seems nonsensical, I get the impression that dest_ip=<anything> would only take effect if there is no SNI in the handshake?
> I understand that more than one dest_ip=* is perhaps not a valid configuration, but in that case we ought to either error out (fail to start), or at least produce a really loud warning.  Clearly making it fail like this seems unreasonable :).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)