You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/05/13 20:10:00 UTC
[jira] [Created] (TS-3599) Multiple dest_ip=* directives has
unpredictable behavior in ssl_multicert.config
Leif Hedstrom created TS-3599:
---------------------------------
Summary: Multiple dest_ip=* directives has unpredictable behavior in ssl_multicert.config
Key: TS-3599
URL: https://issues.apache.org/jira/browse/TS-3599
Project: Traffic Server
Issue Type: Bug
Components: SSL
Reporter: Leif Hedstrom
If I create an ssl_multicert.config with e.g.
{code}
dest_ip=* ssl_key_name=foo.key ssl_cert_name=foo.crt
dest_ip=* ssl_key_name=bar.key ssl_cert_name=bar.crt
{code}
Then even with an SNI enabled client, which uses SNI in the TLS handshake, ATS seems to arbitrarily pick a cert. This seems nonsensical, I get the impression that dest_ip=<anything> would only take effect if there is no SNI in the handshake?
I understand that more than one dest_ip=* is perhaps not a valid configuration, but in that case we ought to either error out (fail to start), or at least produce a really loud warning. Clearly making it fail like this seems unreasonable :).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)