[
https://issues.apache.org/jira/browse/TS-3518?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Thomas Jackson updated TS-3518:
-------------------------------
Description:
In ssl_multicert you can specify multiple ssl_cert_name and ssl_key_name, such
as:
{code}
dest_ip=127.0.0.2 ssl_cert_name=www.example.com.cert,www.example.com.ecdsa.cert
ssl_key_name=www.example.com.key,www.example.com.ecdsa.key
{code}
Sometimes you need to specify an intermediate CA (a lot of the time TBH), which
from the docs sounds like you should be able to do:
{code}
dest_ip=127.0.0.2 ssl_cert_name=www.example.com.cert,www.example.com.ecdsa.cert
ssl_key_name=www.example.com.key,www.example.com.ecdsa.key
ssl_ca_name=RSA_intermediate,ECDSA_intermediate
{code}
Since you can specify ssl_ca_name for single certs, similar to cert_name and
key_name, but this currently doesn't work. In addition to not working for ECDSA
this seems to actually break *all* intermediate CAs from being served. I've
created a test case (https://github.com/apache/trafficserver/pull/186) which
shows the issue.
was:
In ssl_multicert you can specify multiple ssl_cert_name and ssl_key_name, such
as:
{code}
dest_ip=127.0.0.2 ssl_cert_name=www.example.com.cert,www.example.com.ecdsa.cert
ssl_key_name=www.example.com.key,www.example.com.ecdsa.key
{code}
Sometimes you need to specify an intermediate CA (a lot of the time TBH), which
from the docs sounds like you should be able to do:
{code}
dest_ip=127.0.0.2 ssl_cert_name=www.example.com.cert,www.example.com.ecdsa.cert
ssl_key_name=www.example.com.key,www.example.com.ecdsa.key
ssl_ca_name=RSA_intermediate,ECDSA,intermediate
{code}
Since you can specify ssl_ca_name for single certs, similar to cert_name and
key_name, but this currently doesn't work. In addition to not working for ECDSA
this seems to actually break *all* intermediate CAs from being served. I've
created a test case (https://github.com/apache/trafficserver/pull/186) which
shows the issue.
> Multiple ssl_ca_name's in ssl_multicert breaks all intermediate CAs
> -------------------------------------------------------------------
>
> Key: TS-3518
> URL: https://issues.apache.org/jira/browse/TS-3518
> Project: Traffic Server
> Issue Type: Bug
> Reporter: Thomas Jackson
> Assignee: Brian Geffon
>
> In ssl_multicert you can specify multiple ssl_cert_name and ssl_key_name,
> such as:
> {code}
> dest_ip=127.0.0.2
> ssl_cert_name=www.example.com.cert,www.example.com.ecdsa.cert
> ssl_key_name=www.example.com.key,www.example.com.ecdsa.key
> {code}
> Sometimes you need to specify an intermediate CA (a lot of the time TBH),
> which from the docs sounds like you should be able to do:
> {code}
> dest_ip=127.0.0.2
> ssl_cert_name=www.example.com.cert,www.example.com.ecdsa.cert
> ssl_key_name=www.example.com.key,www.example.com.ecdsa.key
> ssl_ca_name=RSA_intermediate,ECDSA_intermediate
> {code}
> Since you can specify ssl_ca_name for single certs, similar to cert_name and
> key_name, but this currently doesn't work. In addition to not working for
> ECDSA this seems to actually break *all* intermediate CAs from being served.
> I've created a test case (https://github.com/apache/trafficserver/pull/186)
> which shows the issue.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
