[
https://issues.apache.org/jira/browse/TS-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14055056#comment-14055056
]
Sudheer Vinukonda commented on TS-2924:
---------------------------------------
While it may be desirable to have ATS support configurable cipher list for the
client context, as far as I understand, the root cause for this particular
issue is not related to whether the origin supports latest ssl protocols. The
issue is mainly caused by some origins not correctly handling long Client Hello
messages. Disabling TLS may help in most cases, but, the issue may still happen
if SNI is used and the origin's hostname is long enough.
For more details -
https://rt.openssl.org/Ticket/Display.html?user=guest&pass=guest&id=2771
Openssl seems to have a fix for this issue:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=0467ea686244
> Configurable client's ssl protocols and cipher suite
> ----------------------------------------------------
>
> Key: TS-2924
> URL: https://issues.apache.org/jira/browse/TS-2924
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Wei Sun
> Labels: yahoo
>
> A few old origins cannot support the latest ssl protocols well, ats is
> expected to be able to configure dedicated cipher suite and protocols for SSL
> client context.
> {code}
> e.g. Enable SSLv3/TLSv1/TLSv1_1/TLSv1_2
> map http://foo1.com https://www.bankadviser.com/scbteod/scbteod_logo.GIF
> map http://foo2.com
> https://applications.bancopopular.com/images/emails/fb-share-button.jpg
> curl -H 'Host: foo1.com' http://localhost:8080/ -v // failed to setup ssl
> connection to origin
> curl -H 'Host: foo2.com' http://localhost:8080/ -v //SSL connection hang
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
