You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by Leif Hedstrom <zw...@apache.org> on 2016/11/08 21:17:22 UTC
Configurations in ssl_multicert.config
Hi all,
I know this has been discussed many times before, but it keeps coming back to bite me in ugly ways. Right now, there’s no way (other than plugin code) to make TLS behave differently based on the SSL context (the line in ssl_multicert.config that matched the SNI or IP). This is a real drag, and a serious shortcoming IMO. The way I see things, ssl_mulitcert.config is to TLS as what remap.config is to HTTP, but we don’t treat it as such for some reason.
So, what I need right now are two things, but I can see this getting expanded in the future:
1) Custom ALPN negotiation for a context (say, don’t allow H2 on a cert)
2) Custom TLS protocol settings for a context (say, turn off TLSv1.0 on a cert)
So, something like this (just for show, not a proposal):
ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=ca.crt protocols=tlsv1.1,tlsv1.2 alpn=h2,https
The settings in records.config then becomes global defaults for those contexts which lack explicit rules.
And discuss.
— leif
Re: Configurations in ssl_multicert.config
Posted by James Peach <jp...@apache.org>.
> On Nov 8, 2016, at 1:17 PM, Leif Hedstrom <zw...@apache.org> wrote:
>
> Hi all,
>
> I know this has been discussed many times before, but it keeps coming back to bite me in ugly ways. Right now, there’s no way (other than plugin code) to make TLS behave differently based on the SSL context (the line in ssl_multicert.config that matched the SNI or IP). This is a real drag, and a serious shortcoming IMO. The way I see things, ssl_mulitcert.config is to TLS as what remap.config is to HTTP, but we don’t treat it as such for some reason.
>
> So, what I need right now are two things, but I can see this getting expanded in the future:
>
> 1) Custom ALPN negotiation for a context (say, don’t allow H2 on a cert)
>
> 2) Custom TLS protocol settings for a context (say, turn off TLSv1.0 on a cert)
>
>
> So, something like this (just for show, not a proposal):
>
> ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=ca.crt protocols=tlsv1.1,tlsv1.2 alpn=h2,https
>
>
> The settings in records.config then becomes global defaults for those contexts which lack explicit rules.
My thoughts on this are/were in https://issues.apache.org/jira/browse/TS-2773. Allow all the SSL configurations to be overridden per-certificate. This doesn’t address client certificates, which are severely limited. Alternatively, lua snippets ;)
J
Re: Configurations in ssl_multicert.config
Posted by James Peach <jp...@apache.org>.
> On Nov 8, 2016, at 1:17 PM, Leif Hedstrom <zw...@apache.org> wrote:
>
> Hi all,
>
> I know this has been discussed many times before, but it keeps coming back to bite me in ugly ways. Right now, there’s no way (other than plugin code) to make TLS behave differently based on the SSL context (the line in ssl_multicert.config that matched the SNI or IP). This is a real drag, and a serious shortcoming IMO. The way I see things, ssl_mulitcert.config is to TLS as what remap.config is to HTTP, but we don’t treat it as such for some reason.
>
> So, what I need right now are two things, but I can see this getting expanded in the future:
>
> 1) Custom ALPN negotiation for a context (say, don’t allow H2 on a cert)
>
> 2) Custom TLS protocol settings for a context (say, turn off TLSv1.0 on a cert)
>
>
> So, something like this (just for show, not a proposal):
>
> ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=ca.crt protocols=tlsv1.1,tlsv1.2 alpn=h2,https
>
>
> The settings in records.config then becomes global defaults for those contexts which lack explicit rules.
My thoughts on this are/were in https://issues.apache.org/jira/browse/TS-2773. Allow all the SSL configurations to be overridden per-certificate. This doesn’t address client certificates, which are severely limited. Alternatively, lua snippets ;)
J