You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by GitBox <gi...@apache.org> on 2020/04/20 18:11:43 UTC
[GitHub] [trafficserver] shinrich opened a new pull request #6690: Remove tls_versions from host sni policy check
shinrich opened a new pull request #6690:
URL: https://github.com/apache/trafficserver/pull/6690
The current logic will apply the host name and SNI name match check of the host name would have triggered a SNI policy for verify_client or tls_versions.
After working with this in production @djcarlin ran into issues with the tls_versions. If the original connection negotiated TLS v1.3 but the SNI policy corresponding to the current host name would have only offered TLS 1.2, should we deny it? Or only deny of the version was lower than the specified policy.
Ultimately we probably need a properties control here too. In the short term, I suggest leaving the enforcement only for the client certificate policies. As we gain experience, we can augment this configuration control or maybe go to something completely different.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [trafficserver] zwoop commented on pull request #6690: Remove tls_versions from host sni policy check
Posted by GitBox <gi...@apache.org>.
zwoop commented on pull request #6690:
URL: https://github.com/apache/trafficserver/pull/6690#issuecomment-623850268
Cherry-picked to v9.0.x branch.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org