You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Jan-Frode Myklebust <ja...@tanso.net> on 2012/08/06 08:54:14 UTC
ATS requiring SNI for SSL termination?
Ref: https://issues.apache.org/jira/browse/TS-1392
It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to do
SSL termination. We use wildcard certs, and don't need/want SNI, so is
there some way to turn off SNI to get broader client support for our
services?
-jf
Re: cache improvements
Posted by "Vickers, Mark" <Ma...@cable.comcast.com>.
On Aug 6, 2012, at 11:44 AM, Nick Kew wrote:
> You should also note that any substantial contribution would
> need IP clearance from yourselves and your clients.
> Details at www.apache.org.
That is our plan. Thanks for your help.
Thanks,
Mark Vickers
VP Software Architecture
Comcast
Re: cache improvements
Posted by Nick Kew <ni...@apache.org>.
On Mon, 6 Aug 2012 10:04:50 -0400
Ira Heffan <IH...@topcoder.com> wrote:
> Thanks for any guidance.
First, please don't post here in a followup to an unrelated message.
You're starting a new topic, so you start a new thread.
Second, do you have or plan a test suite that will demonstrate
the problem you're looking to solve and tell us when it's solved?
The forum to discuss your work is indeed this list. Once you
have ideas firm enough to merit technical discussion, you are
of course welcome to post them here, whether it be to seek
comment on ideas, help with work in progress, or to contribute
finished work back upstream.
If you want to introduce core changes you'll of course have to
explain and justify them. Alternatively if you can do it all
in a plugin (as the JIRA issues suggests) then you can just go
ahead autonomously.
You should also note that any substantial contribution would
need IP clearance from yourselves and your clients.
Details at www.apache.org.
Having said all that, if you are indeed making a significant
contribution in a tricky area, that's great and welcome.
Looking forward to it!
--
Nick Kew
Re: cache improvements
Posted by Leif Hedstrom <zw...@apache.org>.
On 8/6/12 8:04 AM, Ira Heffan wrote:
> My company (TopCoder) on behalf of our client (Comcast) would like to make improvements to the range-handling of the ATS cache, basically addressing this issue: https://issues.apache.org/jira/browse/TS-974. For example, as we envision it, after our development effort, the cache will be able to serve requests out of partial objects and get more parts of a file to satisfy a range request.
This would be complicated, to say the least :). And, as the thread
indicates, needs proper discussions on the mailing lists.
Part of the complication is that you can't just blindly cache any range
request, for any substantially large object, there's a very large number
of possible Range: requests (so, you could end up filling the entire
cache for just a single object if not careful). So, some sort of
minimium size requirements would have to be in place, e.g. chunk the
object into <n>MB pieces. That gets particularly difficult to deal with
now, since a request might cause the CacheSM to read a number of cache
objects to satisfy the request.
We've had a discussion in the past of implementing a way to "background"
fill the entire object into cache. I believe there's at least one bug
filed for this, and there was also a lengthy discussion on the mailing
list. Doing something like this would be substantially easier, but not
as powerful as caching partial objects. While background filling an
object, you might end up having to proxy some number of requests, until
they can be served out of the partially written full-size object. You
also only want to background fill objects that can be cached, and are
likely to get more requests.
>
> Our goal for this project is to have the code that we develop accepted back into the mainline project. We would therefore like to discuss our approach in advance with the appropriate ATS maintainers and, to the extent possible, receive feedback on our architecture/design plans as well as the developed code. Is this possible? If so, what is the best way to accomplish this? Our development team has subscribed to this list.
>
As Nick pointed out, the discussion definitely belongs here. I'd also
encourage to start a Wiki page for collaboration (I don't think there is
one, but double check before creating a new page).
Cheers,
-- Leif
Re: cache improvements
Posted by "Alan M. Carroll" <am...@thought-mesh.net>.
I would like to note that I am actively working on less drastic changes to range handling, specifically to move the range data from the object header to the alternate header. That will be needed before the further improvements here are implemented.
Re: cache improvements
Posted by "ming.zym@gmail.com" <mi...@gmail.com>.
yeah, glad to hear that you guys may take this hard task, and my team
may help on review & guide you on the cache rebuild. as it will be a
tough task, and the redesign of the very low disk layout may introduce
big problem, I'd suggest you post your desgin docs on the cwiki:
https://cwiki.apache.org/confluence/display/TS/Projects
thanks
在 2012-08-06一的 10:04 -0400,Ira Heffan写道:
> My company (TopCoder) on behalf of our client (Comcast) would like to make improvements to the range-handling of the ATS cache, basically addressing this issue: https://issues.apache.org/jira/browse/TS-974. For example, as we envision it, after our development effort, the cache will be able to serve requests out of partial objects and get more parts of a file to satisfy a range request.
>
> Our goal for this project is to have the code that we develop accepted back into the mainline project. We would therefore like to discuss our approach in advance with the appropriate ATS maintainers and, to the extent possible, receive feedback on our architecture/design plans as well as the developed code. Is this possible? If so, what is the best way to accomplish this? Our development team has subscribed to this list.
>
> Thanks for any guidance.
>
> -Ira
>
> ---
> Ira Heffan iheffan@topcoder.com
> tel. +1 (860) 734-1474
--
zym, Zhao Yongming.
aka: yonghao @ taobao.com
cache improvements
Posted by Ira Heffan <IH...@topcoder.com>.
My company (TopCoder) on behalf of our client (Comcast) would like to make improvements to the range-handling of the ATS cache, basically addressing this issue: https://issues.apache.org/jira/browse/TS-974. For example, as we envision it, after our development effort, the cache will be able to serve requests out of partial objects and get more parts of a file to satisfy a range request.
Our goal for this project is to have the code that we develop accepted back into the mainline project. We would therefore like to discuss our approach in advance with the appropriate ATS maintainers and, to the extent possible, receive feedback on our architecture/design plans as well as the developed code. Is this possible? If so, what is the best way to accomplish this? Our development team has subscribed to this list.
Thanks for any guidance.
-Ira
---
Ira Heffan iheffan@topcoder.com
tel. +1 (860) 734-1474
Re: ATS requiring SNI for SSL termination?
Posted by Leif Hedstrom <zw...@apache.org>.
On 8/6/12 3:52 AM, Jan-Frode Myklebust wrote:
> On Mon, Aug 06, 2012 at 09:20:51AM -0000, Igor Galić wrote:
>>> Ref: https://issues.apache.org/jira/browse/TS-1392
>>>
>>> It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to
>>> do
>>> SSL termination. We use wildcard certs, and don't need/want SNI, so
>>> is
>>> there some way to turn off SNI to get broader client support for our
>>> services?
>> You would have to specify each IP as dest_ip
> I have specified dest_ip in ssl_multicert.conf:
Hmmm, that would be bad. I'm guessing we never tested a browser without
SNI support :). How would I even do that, other than running IE on
Windows XP? Is there a way to turn off SNI on the browser side?
This is a pretty serious bug, if it's the case (we definitely do *not*
require SNI, intentionally).
Cheers,
-- leif
Re: ATS requiring SNI for SSL termination?
Posted by Jan-Frode Myklebust <ja...@tanso.net>.
On Mon, Aug 06, 2012 at 09:20:51AM -0000, Igor Galić wrote:
> > Ref: https://issues.apache.org/jira/browse/TS-1392
> >
> > It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to
> > do
> > SSL termination. We use wildcard certs, and don't need/want SNI, so
> > is
> > there some way to turn off SNI to get broader client support for our
> > services?
>
> You would have to specify each IP as dest_ip
I have specified dest_ip in ssl_multicert.conf:
dest_ip=109.247.114.202 ssl_cert_name=/etc/pki/tls/certs/STAR_services_example_net.crt ssl_key_name=/etc/pki/tls/private/STAR_services_example_net.key ssl_ca_name=/etc/pki/tls/certs/STAR_services_example_net.ca-bundle
dest_ip=2a01:798:0:8008::202 ssl_cert_name=/etc/pki/tls/certs/STAR_services_example_net.crt ssl_key_name=/etc/pki/tls/private/STAR_services_example_net.key ssl_ca_name=/etc/pki/tls/certs/STAR_services_example_net.ca-bundle
#
dest_ip=109.247.114.203 ssl_cert_name=/etc/pki/tls/certs/STAR_services_example_net.crt ssl_key_name=/etc/pki/tls/private/STAR_services_example_net.key ssl_ca_name=/etc/pki/tls/certs/STAR_services_example_net.ca-bundle
dest_ip=2a01:798:0:8008::203 ssl_cert_name=/etc/pki/tls/certs/STAR_services_example_net.crt ssl_key_name=/etc/pki/tls/private/STAR_services_example_net.key ssl_ca_name=/etc/pki/tls/certs/STAR_services_example_net.ca-bundle
-jf
Re: ATS requiring SNI for SSL termination?
Posted by Igor Galić <i....@brainsware.org>.
----- Original Message -----
> Ref: https://issues.apache.org/jira/browse/TS-1392
>
> It seems like ATS v3.2.0 requires a Server Name Indication (SNI) to
> do
> SSL termination. We use wildcard certs, and don't need/want SNI, so
> is
> there some way to turn off SNI to get broader client support for our
> services?
You would have to specify each IP as dest_ip
or
we would have to extend our SSL code to do a lookup and only bind
a certain name to a certain IP.
Right now, if you wanted to disable SNI, you'd have to do so
by recompiling with, adding -DOPENSSL_NO_TLSEXT to your C/XX/PP/FLAGS
i
> -jf
>
--
Igor Galić
Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE