[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable

Sat, 18 Jul 2015 17:53:16 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14632653#comment-14632653
 ] 

ASF GitHub Bot commented on TS-3746:
------------------------------------

Github user sudheerv commented on the pull request:

    https://github.com/apache/trafficserver/pull/254#issuecomment-122609479
  
    Agree with @ushachar - 
    
    Transaction and Session/connection are not interchangeable (at least, not 
how I see it). Keep-Alive is a *transaction* level property (see more below), 
whereas, server validation is a *session* level property.
    
    Keep-Alive is allowed to be overridden in ATS, as it is a *HTTP* level 
property, which is defined/meant-to-be-used per transaction and the 
corresponding status (via *Connection* HTTP header) exchanged even in every 
transaction (consequently, it makes perfect sense to be associated per 
transaction).
    
    OTOH, server cert verification is not a *HTTP* level property, it is a TLS 
layer property and is applied at a session/connection level and should (can) 
not clearly be overridden per remap or even within a plugin per transaction.
    
    I'm fine to let that override per origin connection, which obviously 
requires maintaining separate sessions (verified vs non-verified) if server 
session sharing is to be supported. To that extent, even if session sharing is 
not supported to allow to let this feature be overridden per transaction, it 
still can not be allowed to be overridden per transaction (otherwise, how's 
that going to work with multiplexed transactions in a given session, if each 
Txn (in the same session) wants something different)?


> We need to make proxy.config.ssl.client.verify.server overridable
> -----------------------------------------------------------------
>
>                 Key: TS-3746
>                 URL: https://issues.apache.org/jira/browse/TS-3746
>             Project: Traffic Server
>          Issue Type: New Feature
>          Components: Configuration
>            Reporter: Syeda Persia Aziz
>            Assignee: Dave Thompson
>              Labels: Yahoo
>             Fix For: sometime
>
>
> We need to make proxy.config.ssl.client.verify.server overridable. Some 
> origin servers need validation to avoid MITM attacks while others don't.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to