You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "James Peach (Created) (JIRA)" <ji...@apache.org> on 2012/03/18 05:27:54 UTC
[jira] [Created] (TS-1147) deprecate records.config SSL
configuration
deprecate records.config SSL configuration
------------------------------------------
Key: TS-1147
URL: https://issues.apache.org/jira/browse/TS-1147
Project: Traffic Server
Issue Type: Improvement
Components: SSL
Reporter: James Peach
Priority: Minor
Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-1147) deprecate records.config SSL
configuration
Posted by "Leif Hedstrom (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-1147:
------------------------------
Fix Version/s: 3.1.4
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Priority: Minor
> Fix For: 3.1.4
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-1147) deprecate records.config SSL
configuration
Posted by "James Peach (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Peach updated TS-1147:
----------------------------
Fix Version/s: (was: 3.1.4)
3.1.5
Assignee: James Peach
I'm going to investigate this for 3.1.5 (aka. 3.2).
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
> Fix For: 3.1.5
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1147) deprecate records.config SSL
configuration
Posted by "James Peach (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13245396#comment-13245396 ]
James Peach commented on TS-1147:
---------------------------------
Only the .filename options have been removed.
I added explicit support for this in ssl_multicert:
dest_ip=* ssl_cert_name=foo.crt
No it doesn't. If we can't find a certificate we will just fail the connection.
In my branch, the behaviour is to complete the SSL handshake using the default certificate. If the client accepts this, then there's no reason to return a 400.
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
> Fix For: 3.1.5
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1147) deprecate records.config SSL
configuration
Posted by "Igor Galić (Commented JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13245296#comment-13245296 ]
Igor Galić commented on TS-1147:
--------------------------------
I suppose you'll only leave {{proxy.config.http.server_ports 443:ssl}} in {{records.config}}
What about the default certificate that {{records.config}} still configures?
It needs to be configured if one *really* wants SSL enabled, even if all of the real hosts are taken care of by {{ssl_multicert.config}}.
Now, in certain cases this might even make sense - someone accesses a proxy via {{HTTPS}}, asking for a host this proxy does not serve. Do we terminate the TLS session? Do we finish the TLS handshake offering a default certificate and returning the RFC compliant 400 HTTP code?
Here's what we do now, which begs the question why, exactly, we need the default certificate:
{noformat}
i.galic@pheme ~ % curl -vk -H'Host: this-is-a-bad-example.at' https://176.9.55.235:443/
* About to connect() to 176.9.55.235 port 443 (#0)
* Trying 176.9.55.235... connected
* Connected to 176.9.55.235 (176.9.55.235) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to 176.9.55.235:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to 176.9.55.235:443
35 i.galic@pheme ~ %
{noformat}
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
> Fix For: 3.1.5
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (TS-1147) deprecate records.config SSL
configuration
Posted by "James Peach (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
James Peach resolved TS-1147.
-----------------------------
Resolution: Fixed
5fe79e6 TS-1147: Remove last cert.filename and private_key.filename references
cadc9b6 TS-1147: Implement default certificate fallback.
e2827c0 TS-1147: Remove default server SSL_CTX from SSLNetProcessor
a238d13 TS-1147: Remove proxy.config.ssl.server.private_key.filename
c426f4a TS-1147: Remove proxy.config.ssl.server.cert.filename
47255d3 TS-1147: Remove defaultEnabled flag from SSLNetProcessor::initSSLServerCTX()
e7d5784 TS-1147: Remove SSLNetProcessor::initSSL()
Someone please review!
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
> Fix For: 3.1.5
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1147) deprecate records.config SSL
configuration
Posted by "James Peach (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13244970#comment-13244970 ]
James Peach commented on TS-1147:
---------------------------------
I have a patch in my queue.
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
> Fix For: 3.1.5
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1147) deprecate records.config SSL
configuration
Posted by "James Peach (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13245406#comment-13245406 ]
James Peach commented on TS-1147:
---------------------------------
Wow, trying to reply in line via email really doesn't work so well ...
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
> Fix For: 3.1.5
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (TS-1147) deprecate records.config SSL
configuration
Posted by "Igor Galić (Commented JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13249565#comment-13249565 ]
Igor Galić commented on TS-1147:
--------------------------------
doing a code reading now
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
> Fix For: 3.1.5
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (TS-1147) deprecate records.config SSL
configuration
Posted by "Leif Hedstrom (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Leif Hedstrom updated TS-1147:
------------------------------
Fix Version/s: (was: 3.1.5)
3.1.4
> deprecate records.config SSL configuration
> ------------------------------------------
>
> Key: TS-1147
> URL: https://issues.apache.org/jira/browse/TS-1147
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: James Peach
> Assignee: James Peach
> Priority: Minor
> Fix For: 3.1.4
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate configuration in records.config, we should deprecate configuring SSL certificates in records.config and make ssl_multicert.config the One True Way.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira