rob05c opened a new issue #8192: URL: https://github.com/apache/trafficserver/issues/8192
Starting ATS with a malformed `sni.yaml` in ATS 9.1 results in: ``` [Jul 30 19:24:30.069] traffic_server ERROR: <SSLSNIConfig.cc:172 (Initialize)> /opt/trafficserver/etc/trafficserver/sni.yaml failed to load: 1 [1]: yaml-cpp: error at line 1889, column 25: unknown value "STRICT" ``` But ATS still starts, just without loading or applying anything in `sni.yaml`. This can be a security issue. If a user has records.config configured to allow everything, and uses `sni.yaml` to block or allow each FQDN, this will result in everything being allowed. And a user could easily miss the above log message. It sounds like we probably want ATS to load anyway if `sni.yaml` doesn't exist. But if it exists and is malformed, either with invalid YAML or with data errors (such as bad enums, as above), I think ATS should fail to start, for security. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
