You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Leif Hedstrom (JIRA)" <ji...@apache.org> on 2015/05/13 14:56:00 UTC
[jira] [Created] (TS-3598) Should we add an option to refuse
non-SNI negotiated TLS connections
Leif Hedstrom created TS-3598:
---------------------------------
Summary: Should we add an option to refuse non-SNI negotiated TLS connections
Key: TS-3598
URL: https://issues.apache.org/jira/browse/TS-3598
Project: Traffic Server
Issue Type: Improvement
Components: SSL
Reporter: Leif Hedstrom
I'm not 100% certain how this interoperates with all the various SSL and TLS versions, but, we might want to consider adding an option to refuse non-SNI handshakes completely.
The rationale is this:
If we have multiple sites, as configured in ssl_multicert.config, but the box does not have unique IPs for each such cert, then the current behavior is undesirable (maybe even insecure?). E.g. the setup would be
{code}
dest_ip=* ssl_cert_name=cert1.crt ssl_key_name=key1.key
dest_ip=* ssl_cert_name=cert2.crt ssl_key_name=key2.key
dest_ip=* ssl_cert_name=cert3.crt ssl_key_name=key2.key
{code}
In the case of a non-SNI connection, the first certificate will now always be presented. This is likely not to be "secure", in that browser will either reject or give nasty errors / warnings about the wrong CN in the certificate.
In this case, having an option to say "refuse non-SNI handshakes" might be more desirable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)