Leif Hedstrom created TS-3598:
---------------------------------
Summary: Should we add an option to refuse non-SNI negotiated TLS
connections
Key: TS-3598
URL: https://issues.apache.org/jira/browse/TS-3598
Project: Traffic Server
Issue Type: Improvement
Components: SSL
Reporter: Leif Hedstrom
I'm not 100% certain how this interoperates with all the various SSL and TLS
versions, but, we might want to consider adding an option to refuse non-SNI
handshakes completely.
The rationale is this:
If we have multiple sites, as configured in ssl_multicert.config, but the box
does not have unique IPs for each such cert, then the current behavior is
undesirable (maybe even insecure?). E.g. the setup would be
{code}
dest_ip=* ssl_cert_name=cert1.crt ssl_key_name=key1.key
dest_ip=* ssl_cert_name=cert2.crt ssl_key_name=key2.key
dest_ip=* ssl_cert_name=cert3.crt ssl_key_name=key2.key
{code}
In the case of a non-SNI connection, the first certificate will now always be
presented. This is likely not to be "secure", in that browser will either
reject or give nasty errors / warnings about the wrong CN in the certificate.
In this case, having an option to say "refuse non-SNI handshakes" might be more
desirable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
