[
https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14632624#comment-14632624
]
ASF GitHub Bot commented on TS-3746:
------------------------------------
Github user shinrich commented on the pull request:
https://github.com/apache/trafficserver/pull/254#issuecomment-122602193
Ok, so we should not allow control of the
proxy.config.ssl.client.verify.server feature in the plugin because the plugin
(remap or otherwise) might do the wrong thing.
So one alternative would be to add another entry to records.config e.g.
proxy.config.ssl.client.verify.serverlist which is a list of domain names
and/or IP addresses. If set and if the origin's IP or requested SNI is in the
list, the verify feature is enabled.
Perhaps @dcarlin would weigh in on this since he requested this feature.
> We need to make proxy.config.ssl.client.verify.server overridable
> -----------------------------------------------------------------
>
> Key: TS-3746
> URL: https://issues.apache.org/jira/browse/TS-3746
> Project: Traffic Server
> Issue Type: New Feature
> Components: Configuration
> Reporter: Syeda Persia Aziz
> Assignee: Dave Thompson
> Labels: Yahoo
> Fix For: sometime
>
>
> We need to make proxy.config.ssl.client.verify.server overridable. Some
> origin servers need validation to avoid MITM attacks while others don't.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
