You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by Jason Strongman <ja...@gmail.com> on 2014/09/28 18:24:08 UTC
SNI AND ATS
Version - 4.2.1.1
Mode - Reverse Proxy
Objective: To support multiple SSL sites, each with their own certificate,
and only use one IP/Port.
Does ATS support SNI for incoming requests as described in the below links?
Nginx:
https://www.digitalocean.com/community/tutorials/how-to-set-up-multiple-ssl-certificates-on-one-ip-with-nginx-on-ubuntu-12-04
Apache httpd:
https://www.digicert.com/ssl-support/apache-multiple-ssl-certificates-using-sni.htm
Based on my reading, SNI is not supported for incoming requests. It does
seem to be supported for requests between ATS and origin.
I suppose if SNI is supported, then each remap rule would need to have a
configuration overwrite mapping each rule to its own certificate/key.
Please advise.
Re: SNI AND ATS
Posted by Reindl Harald <h....@thelounge.net>.
Am 29.09.2014 um 02:01 schrieb James Peach:
> On Sep 28, 2014, at 9:26 AM, Reindl Harald <h....@thelounge.net> wrote:
>>
>> Am 28.09.2014 um 18:24 schrieb Jason Strongman:
>>> Version - 4.2.1.1
>>> Mode - Reverse Proxy
>>>
>>> Objective: To support multiple SSL sites, each with their own certificate, and only use one IP/Port.
>>> Does ATS support SNI for incoming requests as described in the below links?
>>
>> ATS supports *only* SNI for incoming requests
>
> In 5.1, ATS supports SNI for outbound origin requests too (https://issues.apache.org/jira/browse/TS-2802)
cool - i wasn't even aware that it did not
maybe interesting on servers where the origin don't support
%{CONN_REMOTE_ADDR} and you are forced to have TLS there because
a config like below excluding the proxy from redirect is not
supported via mod_remoteip to stay with one IP address
added somewhere in httpd-2.4.x this year
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{CONN_REMOTE_ADDR} !^127\.0\.0\.1
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
</IfModule>
Re: SNI AND ATS
Posted by James Peach <jp...@apache.org>.
On Sep 28, 2014, at 9:26 AM, Reindl Harald <h....@thelounge.net> wrote:
>
> Am 28.09.2014 um 18:24 schrieb Jason Strongman:
>> Version - 4.2.1.1
>> Mode - Reverse Proxy
>>
>> Objective: To support multiple SSL sites, each with their own certificate, and only use one IP/Port.
>> Does ATS support SNI for incoming requests as described in the below links?
>
> ATS supports *only* SNI for incoming requests
In 5.1, ATS supports SNI for outbound origin requests too (https://issues.apache.org/jira/browse/TS-2802).
Re: SNI AND ATS
Posted by James Peach <jp...@apache.org>.
On Sep 28, 2014, at 10:15 AM, Jason Strongman <ja...@gmail.com> wrote:
> When you say 'incoming' request, do you mean
>
> 1. client to ATS ?
> or
> 2. ATS to origin ?
>
> Based on my understanding of the multiple certificate documentation, to support this configuration, ATS requires multiple IPs.
> Also based on my understanding, ATS does not support serving multiple certificates if the TLS/SSL service only listens on one socket.
https://trafficserver.readthedocs.org/en/latest/reference/configuration/ssl_multicert.config.en.html
Specifically, the "Certificate Selection" section discusses how SNI requests are handled. We support SNI using the certificate subject and and alternate names in the certificate. If the documentation is not clear on this, I'd be happy to take patches or suggestions
>
>
>
>
> On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <h....@thelounge.net> wrote:
>
> Am 28.09.2014 um 18:24 schrieb Jason Strongman:
> > Version - 4.2.1.1
> > Mode - Reverse Proxy
> >
> > Objective: To support multiple SSL sites, each with their own certificate, and only use one IP/Port.
> > Does ATS support SNI for incoming requests as described in the below links?
>
> ATS supports *only* SNI for incoming requests
>
>
Re: SNI AND ATS
Posted by Reindl Harald <h....@thelounge.net>.
Am 28.09.2014 um 19:29 schrieb Jason Strongman:
> bah.. it totally went over my head you can define multiple certificates to the 'ssl_cert_name' param.
>
> ssl_cert_name=FILENAME[,FILENAME ...]
for what reason?
you just tell ATS a list of certificates and based on
the SNI header and the CN they are presented to the client
> On Sun, Sep 28, 2014 at 12:24 PM, Reindl Harald <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>
>
> Am 28.09.2014 um 19:15 schrieb Jason Strongman:
> > When you say 'incoming' request, do you mean
> >
> > 1. client to ATS ?
> > or
> > 2. ATS to origin ?
> >
> > Based on my understanding of the multiple certificate documentation, to support this configuration, ATS requires
> > multiple IPs.
> > Also based on my understanding, ATS does not support serving multiple certificates if the TLS/SSL service only
> > listens on one socket.
>
> no - the reason for SNI is to provide a hostname from the
> client and ATS is choosing the correct certificate based
> on that SNI name as well httpd does
>
> if you would need different IP's / sockets SNI would be pointless
> the reason for SNI is that you need only one IP for multiple SSL sites
>
> hence MSIE on WinXP is not supported
>
> [root@testserver:~]$ cat /etc/trafficserver/ssl_multicert.config
> ssl_cert_name=afi.testserver.rhsoft.net.pem
> ssl_cert_name=contentlounge.testserver.rhsoft.net.pem
> ssl_cert_name=mailadmin.testserver.rhsoft.net.pem
> ssl_cert_name=rhsoft.testserver.rhsoft.net.pem
> ssl_cert_name=testserver.rhsoft.net.pem
> ssl_cert_name=uploadprogress.testserver.rhsoft.net.pem
> ssl_cert_name=webmail.testserver.rhsoft.net.pem
>
> > On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <h.reindl@thelounge.net <ma...@thelounge.net>
> <mailto:h.reindl@thelounge.net <ma...@thelounge.net>>> wrote:
> >
> >
> > Am 28.09.2014 um 18:24 schrieb Jason Strongman:
> > > Version - 4.2.1.1
> > > Mode - Reverse Proxy
> > >
> > > Objective: To support multiple SSL sites, each with their own certificate, and only use one IP/Port.
> > > Does ATS support SNI for incoming requests as described in the below links?
> >
> > ATS supports *only* SNI for incoming requests
Re: SNI AND ATS
Posted by Jason Strongman <ja...@gmail.com>.
bah.. it totally went over my head you can define multiple certificates to
the 'ssl_cert_name' param.
ssl_cert_name=FILENAME[,FILENAME ...]
thanks for the push.
On Sun, Sep 28, 2014 at 12:24 PM, Reindl Harald <h....@thelounge.net>
wrote:
>
> Am 28.09.2014 um 19:15 schrieb Jason Strongman:
> > When you say 'incoming' request, do you mean
> >
> > 1. client to ATS ?
> > or
> > 2. ATS to origin ?
> >
> > Based on my understanding of the multiple certificate documentation, to
> support this configuration, ATS requires
> > multiple IPs.
> > Also based on my understanding, ATS does not support serving multiple
> certificates if the TLS/SSL service only
> > listens on one socket.
>
> no - the reason for SNI is to provide a hostname from the
> client and ATS is choosing the correct certificate based
> on that SNI name as well httpd does
>
> if you would need different IP's / sockets SNI would be pointless
> the reason for SNI is that you need only one IP for multiple SSL sites
>
> hence MSIE on WinXP is not supported
>
> [root@testserver:~]$ cat /etc/trafficserver/ssl_multicert.config
> ssl_cert_name=afi.testserver.rhsoft.net.pem
> ssl_cert_name=contentlounge.testserver.rhsoft.net.pem
> ssl_cert_name=mailadmin.testserver.rhsoft.net.pem
> ssl_cert_name=rhsoft.testserver.rhsoft.net.pem
> ssl_cert_name=testserver.rhsoft.net.pem
> ssl_cert_name=uploadprogress.testserver.rhsoft.net.pem
> ssl_cert_name=webmail.testserver.rhsoft.net.pem
>
> > On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <h.reindl@thelounge.net
> <ma...@thelounge.net>> wrote:
> >
> >
> > Am 28.09.2014 um 18:24 schrieb Jason Strongman:
> > > Version - 4.2.1.1
> > > Mode - Reverse Proxy
> > >
> > > Objective: To support multiple SSL sites, each with their own
> certificate, and only use one IP/Port.
> > > Does ATS support SNI for incoming requests as described in the
> below links?
> >
> > ATS supports *only* SNI for incoming requests
>
>
Re: SNI AND ATS
Posted by Reindl Harald <h....@thelounge.net>.
Am 28.09.2014 um 19:15 schrieb Jason Strongman:
> When you say 'incoming' request, do you mean
>
> 1. client to ATS ?
> or
> 2. ATS to origin ?
>
> Based on my understanding of the multiple certificate documentation, to support this configuration, ATS requires
> multiple IPs.
> Also based on my understanding, ATS does not support serving multiple certificates if the TLS/SSL service only
> listens on one socket.
no - the reason for SNI is to provide a hostname from the
client and ATS is choosing the correct certificate based
on that SNI name as well httpd does
if you would need different IP's / sockets SNI would be pointless
the reason for SNI is that you need only one IP for multiple SSL sites
hence MSIE on WinXP is not supported
[root@testserver:~]$ cat /etc/trafficserver/ssl_multicert.config
ssl_cert_name=afi.testserver.rhsoft.net.pem
ssl_cert_name=contentlounge.testserver.rhsoft.net.pem
ssl_cert_name=mailadmin.testserver.rhsoft.net.pem
ssl_cert_name=rhsoft.testserver.rhsoft.net.pem
ssl_cert_name=testserver.rhsoft.net.pem
ssl_cert_name=uploadprogress.testserver.rhsoft.net.pem
ssl_cert_name=webmail.testserver.rhsoft.net.pem
> On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>
>
> Am 28.09.2014 um 18:24 schrieb Jason Strongman:
> > Version - 4.2.1.1
> > Mode - Reverse Proxy
> >
> > Objective: To support multiple SSL sites, each with their own certificate, and only use one IP/Port.
> > Does ATS support SNI for incoming requests as described in the below links?
>
> ATS supports *only* SNI for incoming requests
Re: SNI AND ATS
Posted by Jason Strongman <ja...@gmail.com>.
When you say 'incoming' request, do you mean
1. client to ATS ?
or
2. ATS to origin ?
Based on my understanding of the multiple certificate documentation, to
support this configuration, ATS requires multiple IPs.
Also based on my understanding, ATS does not support serving multiple
certificates if the TLS/SSL service only listens on one socket.
On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <h....@thelounge.net>
wrote:
>
> Am 28.09.2014 um 18:24 schrieb Jason Strongman:
> > Version - 4.2.1.1
> > Mode - Reverse Proxy
> >
> > Objective: To support multiple SSL sites, each with their own
> certificate, and only use one IP/Port.
> > Does ATS support SNI for incoming requests as described in the below
> links?
>
> ATS supports *only* SNI for incoming requests
>
>
Re: SNI AND ATS
Posted by Reindl Harald <h....@thelounge.net>.
Am 28.09.2014 um 18:24 schrieb Jason Strongman:
> Version - 4.2.1.1
> Mode - Reverse Proxy
>
> Objective: To support multiple SSL sites, each with their own certificate, and only use one IP/Port.
> Does ATS support SNI for incoming requests as described in the below links?
ATS supports *only* SNI for incoming requests