You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/05/13 20:10:00 UTC

[jira] [Created] (TS-3599) Multiple dest_ip=* directives has unpredictable behavior in ssl_multicert.config

Leif Hedstrom created TS-3599:
---------------------------------

             Summary: Multiple dest_ip=* directives has unpredictable behavior in ssl_multicert.config
                 Key: TS-3599
                 URL: https://issues.apache.org/jira/browse/TS-3599
             Project: Traffic Server
          Issue Type: Bug
          Components: SSL
            Reporter: Leif Hedstrom


If I create an ssl_multicert.config with e.g.

{code}
dest_ip=* ssl_key_name=foo.key ssl_cert_name=foo.crt
dest_ip=* ssl_key_name=bar.key ssl_cert_name=bar.crt
{code}

Then even with an SNI enabled client, which uses SNI in the TLS handshake, ATS seems to arbitrarily pick a cert. This seems nonsensical, I get the impression that dest_ip=<anything> would only take effect if there is no SNI in the handshake?

I understand that more than one dest_ip=* is perhaps not a valid configuration, but in that case we ought to either error out (fail to start), or at least produce a really loud warning.  Clearly making it fail like this seems unreasonable :).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)