[
https://issues.apache.org/jira/browse/TS-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14055827#comment-14055827
]
Sudheer Vinukonda edited comment on TS-2924 at 7/9/14 3:50 PM:
---------------------------------------------------------------
I actually prefer not to have to disable any ssl protocol due to some (rare)
origins not supporting a particular version of the protocol. The origin should
still be able to negotiate an agreeable protocol version. Disabling the
protocols/ciphers on ATS would affect all the origins (unless, the configurable
protocol/cipher list is made per origin and you know beforehand, which origins
support a specific protocol/cipher list, which is next to impossible). I would
address the TLS hang issue with the openssl fixes and prefer not to have to
disable protocols/ciphers.
Having said that, configurable ssl protocol/cipher suite for client context on
ATS, is a nice-to-have enhancement and I am fine with that, other than the
concern that, that should not be used to solve "rare" origin issues.
was (Author: sudheerv):
I actually prefer not to have to disable any ssl protocol due to some (rare)
origins not supporting a particular version of the protocol. The origin should
still be able to negotiate an agreeable protocol version. Disabling the
protocols on ATS would affect all the origins (unless, the configurable cipher
list is made per origin and you know beforehand, which origins support a
specific cipher list/protocol list, which is next to impossible). I would
address the TLS hang issue with the openssl fixes and prefer not to have to
disable protocols.
Having said that, configurable ssl protocol/cipher suite for client context on
ATS, is a nice-to-have enhancement and I am fine with that, other than the
concern that, that should not be used to solve "rare" origin issues.
> Configurable client's ssl protocols and cipher suite
> ----------------------------------------------------
>
> Key: TS-2924
> URL: https://issues.apache.org/jira/browse/TS-2924
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Wei Sun
> Labels: yahoo
> Attachments: TS-2924.diff
>
>
> A few old origins cannot support the latest ssl protocols well, ats is
> expected to be able to configure dedicated cipher suite and protocols for SSL
> client context.
> {code}
> e.g. Enable SSLv3/TLSv1/TLSv1_1/TLSv1_2
> map http://foo1.com https://www.bankadviser.com/scbteod/scbteod_logo.GIF
> map http://foo2.com
> https://applications.bancopopular.com/images/emails/fb-share-button.jpg
> curl -H 'Host: foo1.com' http://localhost:8080/ -v // failed to setup ssl
> connection to origin
> curl -H 'Host: foo2.com' http://localhost:8080/ -v //SSL connection hang
> {code}
--
This message was sent by Atlassian JIRA
(v6.2#6252)
