[jira] [Commented] (TS-3153) Ability to disable/modify protocols based on SNI information

Mon, 22 Dec 2014 10:14:06 -0800 

    [ 
https://issues.apache.org/jira/browse/TS-3153?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14255991#comment-14255991
 ] 

Sudheer Vinukonda commented on TS-3153:
---------------------------------------

Discussed with [~amc] and he suggested the following solution:

1. Add a pointer to SessionAccept object <session_accept> in SSLNetVConnection 
(in addition to the existing SSLNextProtocolSet pointer <npnSet>)

2. In SSLNextProtocolAccept::mainEvent, set the SessionAccept object pointer in 
SSLNetVConnection to the SSLNextProtocolSessionAccept object on 
NET_EVENT_ACCEPT.

With the above framework, a user plugin should be able to do the below:

1. Create a bunch of SSLNextProtocolSet (npnSet) objects for each configured 
SNI for all the acceptor objects (based on the available list of acceptor 
objects, SLL<SSLNextProtocolAccept> ssl_plugin_acceptors). This step also makes 
sure the created npnSet objects are validated against each the registered 
protocol list for each acceptor.

2. When a SNI call back happens, the plugin uses the SNI and the 
netvc->session_accept to locate a custom npnSet. If a npnSet is available, it 
updates the netvc->npnSet, otherwise just does nothing.

> Ability to disable/modify protocols based on SNI information
> ------------------------------------------------------------
>
>                 Key: TS-3153
>                 URL: https://issues.apache.org/jira/browse/TS-3153
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: HTTP/2, SPDY
>            Reporter: Bryan Call
>            Assignee: Sudheer Vinukonda
>             Fix For: 5.3.0
>
>         Attachments: TS-3153.diff
>
>
> We are running into problems where certain origin servers are having issues 
> when SPDY is enabled.  It would be great to have more control over when 
> protocols are enabled.
> One way to do this would be to add a protocol options to the entry in the 
> ssl_multicert config.  We wound then add additional entries for domains that 
> need to disable the protocols.  All protocols should be enabled by default.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to