[ https://issues.apache.org/jira/browse/TS-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14055827#comment-14055827 ]
Sudheer Vinukonda edited comment on TS-2924 at 7/9/14 3:50 PM: --------------------------------------------------------------- I actually prefer not to have to disable any ssl protocol due to some (rare) origins not supporting a particular version of the protocol. The origin should still be able to negotiate an agreeable protocol version. Disabling the protocols/ciphers on ATS would affect all the origins (unless, the configurable protocol/cipher list is made per origin and you know beforehand, which origins support a specific protocol/cipher list, which is next to impossible). I would address the TLS hang issue with the openssl fixes and prefer not to have to disable protocols/ciphers. Having said that, configurable ssl protocol/cipher suite for client context on ATS, is a nice-to-have enhancement and I am fine with that, other than the concern that, that should not be used to solve "rare" origin issues. was (Author: sudheerv): I actually prefer not to have to disable any ssl protocol due to some (rare) origins not supporting a particular version of the protocol. The origin should still be able to negotiate an agreeable protocol version. Disabling the protocols on ATS would affect all the origins (unless, the configurable cipher list is made per origin and you know beforehand, which origins support a specific cipher list/protocol list, which is next to impossible). I would address the TLS hang issue with the openssl fixes and prefer not to have to disable protocols. Having said that, configurable ssl protocol/cipher suite for client context on ATS, is a nice-to-have enhancement and I am fine with that, other than the concern that, that should not be used to solve "rare" origin issues. > Configurable client's ssl protocols and cipher suite > ---------------------------------------------------- > > Key: TS-2924 > URL: https://issues.apache.org/jira/browse/TS-2924 > Project: Traffic Server > Issue Type: Improvement > Components: SSL > Reporter: Wei Sun > Labels: yahoo > Attachments: TS-2924.diff > > > A few old origins cannot support the latest ssl protocols well, ats is > expected to be able to configure dedicated cipher suite and protocols for SSL > client context. > {code} > e.g. Enable SSLv3/TLSv1/TLSv1_1/TLSv1_2 > map http://foo1.com https://www.bankadviser.com/scbteod/scbteod_logo.GIF > map http://foo2.com > https://applications.bancopopular.com/images/emails/fb-share-button.jpg > curl -H 'Host: foo1.com' http://localhost:8080/ -v // failed to setup ssl > connection to origin > curl -H 'Host: foo2.com' http://localhost:8080/ -v //SSL connection hang > {code} -- This message was sent by Atlassian JIRA (v6.2#6252)