[jira] [Commented] (TS-2956) Add ssl_pre_handshake hook for better plugin access to SSL handling and allow for combination of blind tunnel and tunnel proxying

Tue, 12 Aug 2014 12:52:28 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-2956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14094577#comment-14094577
 ] 

Susan Hinrichs commented on TS-2956:
------------------------------------

The tunnel decision feature is added to the core logic as well.  An Action 
argument is added to the ssl_multicert.config file.  If this action is set to 
"tunnel", the tunnels that match that line will be blind tunneled.  With this 
improvement, only destinations specified by IP address can be specified to be 
blind tunneled.  See upcoming jira feature to address SNI extensions that would 
enable a blind tunnel decision after we know the server name.

I also created an example plugin (ssl-preaccept) that compares the client 
address against a list of IP ranges.  If the client address matches the range, 
the connection is blind tunneled.  Otherwise, it is proxied.  This exercises 
the new ssl_pre_handshake hook.

> Add ssl_pre_handshake hook for better plugin access to SSL handling and allow 
> for combination of blind tunnel and tunnel proxying
> ---------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: TS-2956
>                 URL: https://issues.apache.org/jira/browse/TS-2956
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: Core, Plugins, SSL
>            Reporter: Susan Hinrichs
>            Assignee: Susan Hinrichs
>            Priority: Minor
>             Fix For: 5.2.0
>
>
> Organizations that want to do more extensive SSL processing than is allowed 
> by the core should be able to write a plugin.  To support such plugins, the 
> core needs to allow for the plugin to gain access after the TCP connection 
> has completed but before the SSL Accept has completed. 
> One feature that a plug in may want to implement is the ability to determine 
> that some SSL connections should be fully proxied and others should be blind 
> tunneled.  To date, this is a global decision.  Either all tunnels are 
> proxied by ATS or all are blind tunneled.
> Probably should have been two issues, but the implementations are intertwined.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to