You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Alan M. Carroll (JIRA)" <ji...@apache.org> on 2014/11/19 16:20:34 UTC

[jira] [Commented] (TS-3153) Ability to disable/modify protocols based on SNI information

    [ https://issues.apache.org/jira/browse/TS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14218009#comment-14218009 ] 

Alan M. Carroll commented on TS-3153:
-------------------------------------

The fundamental goal here is to be able to set the NPN set in an SSL NetVC before it does the NPN negotiation. For the particular use case that drove this bug it would be sufficient to filter the existing list, but I think we should aim for the more general mechanism.

We already have the ssl_[un]register_protocol functions to manipulate the NPN list, the problem is that these are done globally. What would be necessary for this is to make an NPN set (internally SSLNextProtocolSet) a directly accessible object. This would require at least the following operations

* Create NPN set.
* Destroy NPN set.
* Register and unregister protocol in NPN set.
* Copy existing NPN set for a proxy port.
* Set the NPN set for an SSL NetVC.

Another hurdle I see is that proxy ports are also inaccessible. Even in the current use case it is important for the plugin to be able to manipulate the NPN set differently for different proxy ports.

I'm a bit miffed because this was a central theme of my Early Intervention talk. I do think that if we're going to provide this kind of early intervention we need to do a robust, general API or we'll be piling hack upon hack to do all the things that will be desired.

> Ability to disable/modify protocols based on SNI information
> ------------------------------------------------------------
>
>                 Key: TS-3153
>                 URL: https://issues.apache.org/jira/browse/TS-3153
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: HTTP/2, SPDY
>            Reporter: Bryan Call
>             Fix For: 5.2.0
>
>         Attachments: TS-3153.diff
>
>
> We are running into problems where certain origin servers are having issues when SPDY is enabled.  It would be great to have more control over when protocols are enabled.
> One way to do this would be to add a protocol options to the entry in the ssl_multicert config.  We wound then add additional entries for domains that need to disable the protocols.  All protocols should be enabled by default.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)