[jira] [Commented] (TS-3153) Ability to disable/modify protocols based on SNI information

Wed, 19 Nov 2014 07:21:06 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14218009#comment-14218009
 ] 

Alan M. Carroll commented on TS-3153:
-------------------------------------

The fundamental goal here is to be able to set the NPN set in an SSL NetVC 
before it does the NPN negotiation. For the particular use case that drove this 
bug it would be sufficient to filter the existing list, but I think we should 
aim for the more general mechanism.

We already have the ssl_[un]register_protocol functions to manipulate the NPN 
list, the problem is that these are done globally. What would be necessary for 
this is to make an NPN set (internally SSLNextProtocolSet) a directly 
accessible object. This would require at least the following operations

* Create NPN set.
* Destroy NPN set.
* Register and unregister protocol in NPN set.
* Copy existing NPN set for a proxy port.
* Set the NPN set for an SSL NetVC.

Another hurdle I see is that proxy ports are also inaccessible. Even in the 
current use case it is important for the plugin to be able to manipulate the 
NPN set differently for different proxy ports.

I'm a bit miffed because this was a central theme of my Early Intervention 
talk. I do think that if we're going to provide this kind of early intervention 
we need to do a robust, general API or we'll be piling hack upon hack to do all 
the things that will be desired.

> Ability to disable/modify protocols based on SNI information
> ------------------------------------------------------------
>
>                 Key: TS-3153
>                 URL: https://issues.apache.org/jira/browse/TS-3153
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: HTTP/2, SPDY
>            Reporter: Bryan Call
>             Fix For: 5.2.0
>
>         Attachments: TS-3153.diff
>
>
> We are running into problems where certain origin servers are having issues 
> when SPDY is enabled.  It would be great to have more control over when 
> protocols are enabled.
> One way to do this would be to add a protocol options to the entry in the 
> ssl_multicert config.  We wound then add additional entries for domains that 
> need to disable the protocols.  All protocols should be enabled by default.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to