ATS requiring SNI for SSL termination?

[Jan-Frode Myklebust <ja...@tanso.net>]

Ref: https://issues.apache.org/jira/browse/TS-1392

It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to do
SSL termination.  We use wildcard certs, and don't need/want SNI, so is
there some way to turn off SNI to get broader client support for our
services?


  -jf

Re: cache improvements

["Vickers, Mark" <Ma...@cable.comcast.com>]

On Aug 6, 2012, at 11:44 AM, Nick Kew wrote:

> You should also note that any substantial contribution would
> need IP clearance from yourselves and your clients.
> Details at www.apache.org.

That is our plan. Thanks for your help.

Thanks,
Mark Vickers
VP Software Architecture
Comcast

Re: cache improvements

[Nick Kew <ni...@apache.org>]

On Mon, 6 Aug 2012 10:04:50 -0400
Ira Heffan <IH...@topcoder.com> wrote:

> Thanks for any guidance. 

First, please don't post here in a followup to an unrelated message.
You're starting a new topic, so you start a new thread.

Second, do you have or plan a test suite that will demonstrate
the problem you're looking to solve and tell us when it's solved?

The forum to discuss your work is indeed this list.  Once you
have ideas firm enough to merit technical discussion, you are
of course welcome to post them here, whether it be to seek
comment on ideas, help with work in progress, or to contribute
finished work back upstream.

If you want to introduce core changes you'll of course have to
explain and justify them.  Alternatively if you can do it all
in a plugin (as the JIRA issues suggests) then you can just go
ahead autonomously.

You should also note that any substantial contribution would
need IP clearance from yourselves and your clients.
Details at www.apache.org.

Having said all that, if you are indeed making a significant
contribution in a tricky area, that's great and welcome.
Looking forward to it!


-- 
Nick Kew

Re: cache improvements

[Leif Hedstrom <zw...@apache.org>]

On 8/6/12 8:04 AM, Ira Heffan wrote:
> My company (TopCoder) on behalf of our client (Comcast) would like to make improvements to the range-handling of the ATS cache, basically addressing this issue: https://issues.apache.org/jira/browse/TS-974.  For example, as we envision it, after our development effort, the cache will be able to serve requests out of partial objects and get more parts of a file to satisfy a range request.


This would be complicated, to say the least :). And, as the thread 
indicates, needs proper discussions on the mailing lists.

Part of the complication is that you can't just blindly cache any range 
request, for any substantially large object, there's a very large number 
of possible Range: requests (so, you could end up filling the entire 
cache for just a single object if not careful). So, some sort of 
minimium size requirements would have to be in place, e.g. chunk the 
object into <n>MB pieces. That gets particularly difficult to deal with 
now, since a request might cause the CacheSM to read a number of cache 
objects to satisfy the request.

We've had a discussion in the past of implementing a way to "background" 
fill the entire object into cache. I believe there's at least one bug 
filed for this, and there was also a lengthy discussion on the mailing 
list. Doing something like this would be substantially easier, but not 
as powerful as caching partial objects. While background filling an 
object, you might end up having to proxy some number of requests, until 
they can be served out of the partially written full-size object. You 
also only want to background fill objects that can be cached, and are 
likely to get more requests.
>
> Our goal for this project is to have the code that we develop accepted back into the mainline project.   We would therefore like to discuss our approach in advance with the appropriate ATS maintainers and, to the extent possible, receive feedback on our architecture/design plans as well as the developed code.  Is this possible?  If so, what is the best way to accomplish this?   Our development team has subscribed to this list.
>

As Nick pointed out, the discussion definitely belongs here. I'd also 
encourage to start a Wiki page for collaboration (I don't think there is 
one, but double check before creating a new page).

Cheers,

-- Leif

Re: cache improvements

["Alan M. Carroll" <am...@thought-mesh.net>]

I would like to note that I am actively working on less drastic changes to range handling, specifically to move the range data from the object header to the alternate header. That will be needed before the further improvements here are implemented.

Re: cache improvements

["ming.zym@gmail.com" <mi...@gmail.com>]

yeah, glad to hear that you guys may take this hard task, and my team
may help on review & guide you on the cache rebuild. as it will be a
tough task, and the redesign of the very low disk layout may introduce
big problem, I'd suggest you post your desgin docs on the cwiki:

https://cwiki.apache.org/confluence/display/TS/Projects

thanks

在 2012-08-06一的 10:04 -0400，Ira Heffan写道：
> My company (TopCoder) on behalf of our client (Comcast) would like to make improvements to the range-handling of the ATS cache, basically addressing this issue: https://issues.apache.org/jira/browse/TS-974.  For example, as we envision it, after our development effort, the cache will be able to serve requests out of partial objects and get more parts of a file to satisfy a range request.   
> 
> Our goal for this project is to have the code that we develop accepted back into the mainline project.   We would therefore like to discuss our approach in advance with the appropriate ATS maintainers and, to the extent possible, receive feedback on our architecture/design plans as well as the developed code.  Is this possible?  If so, what is the best way to accomplish this?   Our development team has subscribed to this list. 
> 
> Thanks for any guidance. 
> 
> -Ira
> 
> ---
> Ira Heffan   iheffan@topcoder.com
> tel. +1 (860) 734-1474

-- 
zym, Zhao Yongming.
aka: yonghao @ taobao.com

cache improvements

[Ira Heffan <IH...@topcoder.com>]

My company (TopCoder) on behalf of our client (Comcast) would like to make improvements to the range-handling of the ATS cache, basically addressing this issue: https://issues.apache.org/jira/browse/TS-974.  For example, as we envision it, after our development effort, the cache will be able to serve requests out of partial objects and get more parts of a file to satisfy a range request.   

Our goal for this project is to have the code that we develop accepted back into the mainline project.   We would therefore like to discuss our approach in advance with the appropriate ATS maintainers and, to the extent possible, receive feedback on our architecture/design plans as well as the developed code.  Is this possible?  If so, what is the best way to accomplish this?   Our development team has subscribed to this list. 

Thanks for any guidance. 

-Ira

---
Ira Heffan   iheffan@topcoder.com
tel. +1 (860) 734-1474

Re: ATS requiring SNI for SSL termination?

[Leif Hedstrom <zw...@apache.org>]

On 8/6/12 3:52 AM, Jan-Frode Myklebust wrote:
> On Mon, Aug 06, 2012 at 09:20:51AM -0000, Igor Galić wrote:
>>> Ref: https://issues.apache.org/jira/browse/TS-1392
>>>
>>> It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to
>>> do
>>> SSL termination.  We use wildcard certs, and don't need/want SNI, so
>>> is
>>> there some way to turn off SNI to get broader client support for our
>>> services?
>> You would have to specify each IP as dest_ip
> I have specified dest_ip in ssl_multicert.conf:

Hmmm, that would be bad. I'm guessing we never tested a browser without 
SNI support :). How would I even do that, other than running IE on 
Windows XP? Is there a way to turn off SNI on the browser side?

This is a pretty serious bug, if it's the case (we definitely do *not* 
require SNI, intentionally).

Cheers,

-- leif

Re: ATS requiring SNI for SSL termination?

[Jan-Frode Myklebust <ja...@tanso.net>]

On Mon, Aug 06, 2012 at 09:20:51AM -0000, Igor Galić wrote:
> > Ref: https://issues.apache.org/jira/browse/TS-1392
> >
> > It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to
> > do
> > SSL termination.  We use wildcard certs, and don't need/want SNI, so
> > is
> > there some way to turn off SNI to get broader client support for our
> > services?
> 
> You would have to specify each IP as dest_ip

I have specified dest_ip in ssl_multicert.conf:

	dest_ip=109.247.114.202 ssl_cert_name=/etc/pki/tls/certs/STAR_services_example_net.crt ssl_key_name=/etc/pki/tls/private/STAR_services_example_net.key ssl_ca_name=/etc/pki/tls/certs/STAR_services_example_net.ca-bundle
	dest_ip=2a01:798:0:8008::202 ssl_cert_name=/etc/pki/tls/certs/STAR_services_example_net.crt ssl_key_name=/etc/pki/tls/private/STAR_services_example_net.key ssl_ca_name=/etc/pki/tls/certs/STAR_services_example_net.ca-bundle
#
	dest_ip=109.247.114.203 ssl_cert_name=/etc/pki/tls/certs/STAR_services_example_net.crt ssl_key_name=/etc/pki/tls/private/STAR_services_example_net.key ssl_ca_name=/etc/pki/tls/certs/STAR_services_example_net.ca-bundle
	dest_ip=2a01:798:0:8008::203 ssl_cert_name=/etc/pki/tls/certs/STAR_services_example_net.crt ssl_key_name=/etc/pki/tls/private/STAR_services_example_net.key ssl_ca_name=/etc/pki/tls/certs/STAR_services_example_net.ca-bundle



  -jf

Re: ATS requiring SNI for SSL termination?

[Igor Galić <i....@brainsware.org>]

----- Original Message -----
> Ref: https://issues.apache.org/jira/browse/TS-1392
> 
> It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to
> do
> SSL termination.  We use wildcard certs, and don't need/want SNI, so
> is
> there some way to turn off SNI to get broader client support for our
> services?

You would have to specify each IP as dest_ip

   or

we would have to extend our SSL code to do a lookup and only bind
a certain name to a certain IP.

Right now, if you wanted to disable SNI, you'd have to do so
by recompiling with, adding -DOPENSSL_NO_TLSEXT to your C/XX/PP/FLAGS


i

>   -jf
> 

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE