You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by "Sudheer Vinukonda (JIRA)" <ji...@apache.org> on 2014/12/22 19:13:13 UTC

[jira] [Commented] (TS-3153) Ability to disable/modify protocols based on SNI information

    [ https://issues.apache.org/jira/browse/TS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14255991#comment-14255991 ] 

Sudheer Vinukonda commented on TS-3153:
---------------------------------------

Discussed with [~amc] and he suggested the following solution:

1. Add a pointer to SessionAccept object <session_accept> in SSLNetVConnection (in addition to the existing SSLNextProtocolSet pointer <npnSet>)

2. In SSLNextProtocolAccept::mainEvent, set the SessionAccept object pointer in SSLNetVConnection to the SSLNextProtocolSessionAccept object on NET_EVENT_ACCEPT.

With the above framework, a user plugin should be able to do the below:

1. Create a bunch of SSLNextProtocolSet (npnSet) objects for each configured SNI for all the acceptor objects (based on the available list of acceptor objects, SLL<SSLNextProtocolAccept> ssl_plugin_acceptors). This step also makes sure the created npnSet objects are validated against each the registered protocol list for each acceptor.

2. When a SNI call back happens, the plugin uses the SNI and the netvc->session_accept to locate a custom npnSet. If a npnSet is available, it updates the netvc->npnSet, otherwise just does nothing.

> Ability to disable/modify protocols based on SNI information
> ------------------------------------------------------------
>
>                 Key: TS-3153
>                 URL: https://issues.apache.org/jira/browse/TS-3153
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: HTTP/2, SPDY
>            Reporter: Bryan Call
>            Assignee: Sudheer Vinukonda
>             Fix For: 5.3.0
>
>         Attachments: TS-3153.diff
>
>
> We are running into problems where certain origin servers are having issues when SPDY is enabled.  It would be great to have more control over when protocols are enabled.
> One way to do this would be to add a protocol options to the entry in the ssl_multicert config.  We wound then add additional entries for domains that need to disable the protocols.  All protocols should be enabled by default.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)