[
https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14632627#comment-14632627
]
ASF GitHub Bot commented on TS-3746:
------------------------------------
Github user ushachar commented on the pull request:
https://github.com/apache/trafficserver/pull/254#issuecomment-122602663
I'm with @jpeach on this one - allowing this to be configurable per
transaction doesn't really make sense to me (it's not really like keep-alive --
once you do the validation and allow the connection, that's it - subsequent
changes to the config won't have any meaning unless you're planning to
implement a 'revalidation' API for existing connections).
Why not just instruct the admin to add the specific server/CA cert to their
trusted cert storage?
That's far more secure then adding a hostname/IP based exception, and
doesn't require any code change....
> We need to make proxy.config.ssl.client.verify.server overridable
> -----------------------------------------------------------------
>
> Key: TS-3746
> URL: https://issues.apache.org/jira/browse/TS-3746
> Project: Traffic Server
> Issue Type: New Feature
> Components: Configuration
> Reporter: Syeda Persia Aziz
> Assignee: Dave Thompson
> Labels: Yahoo
> Fix For: sometime
>
>
> We need to make proxy.config.ssl.client.verify.server overridable. Some
> origin servers need validation to avoid MITM attacks while others don't.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
