shukitchan commented on issue #9167: URL: https://github.com/apache/trafficserver/issues/9167#issuecomment-1309562875
After some thoughts, here are my notes 1) To support TLS User agent hook, I need to add support in lua plugin for these hooks - https://docs.trafficserver.apache.org/en/latest/developer-guide/plugins/hooks-and-transactions/ssl-hooks.en.html 2) inside the lua handler function, you can do the following ... a) retrieve the ssl object b) set a connection to blind tunnel c) search for ssl context based on name or address 3) Now with the SSL object you get to do whatever you like with a lua binding library. i am thinking of luaossl (http://25thandclement.com/~william/projects/luaossl.html) . So with that then hopefully you can retrieve a certificate from redis (through another lua binding - e.g. https://github.com/shukitchan/ats_lua_scripts/blob/master/connect_redis.lua) and update the SSL object with the new certificate. 4) Now I think this will probably not work perfectly without openssl (e.g. boringssl). And so the lua plugin will have to disable supporting these hooks/functions in that case. 5) Alternatively if you have a redis with the cert, you can have a script to re-generate ssl_mutlicert.config and reload the ATS. There is of course pros and cons with that. It really depends on your use case. 6) I am not too sure how to control options like setting certification level or CA cert for the MTLS client certificate. I don't think there is an ATS API for that. Thus the plugin would not be able to support it. My understanding is that sni.yaml is flexible enough to support common such use cases. And again you can have a script to re-generate sni.yaml with your changes and reload the ATS to make these changes effective. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
