[
https://issues.apache.org/jira/browse/TS-3598?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14542100#comment-14542100
]
James Peach commented on TS-3598:
---------------------------------
In the configuration above, if you don't want a cert to be served in the
absence of an SNI name, the you should not be setting it as the default (by
using ``dest_ip=*``).
> Should we add an option to refuse non-SNI negotiated TLS connections
> --------------------------------------------------------------------
>
> Key: TS-3598
> URL: https://issues.apache.org/jira/browse/TS-3598
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Leif Hedstrom
>
> I'm not 100% certain how this interoperates with all the various SSL and TLS
> versions, but, we might want to consider adding an option to refuse non-SNI
> handshakes completely.
> The rationale is this:
> If we have multiple sites, as configured in ssl_multicert.config, but the box
> does not have unique IPs for each such cert, then the current behavior is
> undesirable (maybe even insecure?). E.g. the setup would be
> {code}
> dest_ip=* ssl_cert_name=cert1.crt ssl_key_name=key1.key
> dest_ip=* ssl_cert_name=cert2.crt ssl_key_name=key2.key
> dest_ip=* ssl_cert_name=cert3.crt ssl_key_name=key2.key
> {code}
> In the case of a non-SNI connection, the first certificate will now always be
> presented. This is likely not to be "secure", in that browser will either
> reject or give nasty errors / warnings about the wrong CN in the certificate.
> In this case, having an option to say "refuse non-SNI handshakes" might be
> more desirable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
