[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14634264#comment-14634264 ] ASF GitHub Bot commented on TS-3746: Github user shinrich commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-123091079 Agreed with everyone's notion that the origin servers should just have good certs. And that is what we are working towards. However, we need a short term solution to at least do some checking. We will keep this change local, but since it is an interim solution to a situation ATS should not be promoting we will not try to push it back into the open source. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14634265#comment-14634265 ] ASF GitHub Bot commented on TS-3746: Github user shinrich closed the pull request at: https://github.com/apache/trafficserver/pull/254 We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632775#comment-14632775 ] ASF GitHub Bot commented on TS-3746: Github user zwoop commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-122645818 I have a few concerns with the code here actually. In general, we want more configurations overridable, including cache configurations and network configurations. I tried this once before, and it got -1'd for other reasons (cache clustering). What I'm asking for is, is there some better way we can convey the entire oride object back to other areas of the system, such as the network layers and cache layers ? It wouldn't be particular efficient to do many of these special cases going forward. Also, there's some legitimate concerns here re: this being a generally good idea, or a fix for an organizational issue. I'll have to noodle on that a bit more (my gut tells me, if you want to enable cert verification for one set of servers, is it that much more work to do it for all servers?). That much said, a few comments on the patch itself: 1) I think ssl_client_verify_server should be a MgmtByte, moved up to the section of those (to avoid padding), and of course use HttpEstablishStaticConfigByte() to for loading. 2) I don't think this patch was run through clang-format, the indentation doesn't look right. 3) Similarly to 1), but on line 1062 in HttpSM, we introduce two empty lines, with 2 white spaces? We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632430#comment-14632430 ] ASF GitHub Bot commented on TS-3746: GitHub user shinrich opened a pull request: https://github.com/apache/trafficserver/pull/254 TS-3746: Make proxy.config.ssl.client.verify.server overridable You can merge this pull request into a Git repository by running: $ git pull https://github.com/shinrich/trafficserver ts-3746-new Alternatively you can review and apply these changes as the patch at: https://github.com/apache/trafficserver/pull/254.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #254 commit 5eac14db1397aec97ffeaf2186a295d3639bc010 Author: shinrich shinr...@yahoo-inc.com Date: 2015-07-18T13:36:34Z TS-3746: Make proxy.config.ssl.client.verify.server overridable We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632601#comment-14632601 ] ASF GitHub Bot commented on TS-3746: Github user jpeach commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-122596851 But what you are saying there is that the config *might* do what it says if you have aligned the starts appropriately. I don't think that's good enough. Configurations should work, all the time. Mostly working isn't a desirable state of affairs. Implementing per-origin configuration as per-request and then hoping for the best isn't a precedent that we should be setting. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632617#comment-14632617 ] ASF GitHub Bot commented on TS-3746: Github user sudheerv commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-122599209 +1 to @jpeach 's point - SSL Hostname verification should be associated with an origin and not per remap/transaction. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632626#comment-14632626 ] ASF GitHub Bot commented on TS-3746: Github user SolidWallOfCode commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-122602554 Whether the verification is per origin is up to the administrator, via his configuration. The remap issue is a distraction, since the underlying issue is plugin control of the verification on a per transaction basis. There seems to be some confusion that this is specific to remap, which is not the case. It is only the Yahoo! use case does this through remap. I don't see how this argument doesn't apply to something like keep alive, since it is also overrideable and could be set inconsistently via remap configuration. Do you really want to rule out any such value that could potentially cause problems if set via remap? We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632583#comment-14632583 ] ASF GitHub Bot commented on TS-3746: Github user shinrich commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-122588703 Yes, you could write a confusing policy via the remap rules. You could have remap rules for two different URLs on the same host with different override values. And as you indicate if session sharing is enabled, you could reuse a server connection that was verified which the matching remap rule indicated that it shouldn't have been (or visa versa). That would be a fairly odd use case. Since this is a per-origin feature, one would think that you would set the override variables consistently across the origin. You could also write an arbitrary plugin to set the override variable however you like. I'm open to suggestions for other configuration options to enable origin granularity when controlling the proxy.config.ssl.client.verify.sever feature. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632602#comment-14632602 ] James Peach commented on TS-3746: - Organizational issues are a great reason to carry around an internal patch. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632624#comment-14632624 ] ASF GitHub Bot commented on TS-3746: Github user shinrich commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-122602193 Ok, so we should not allow control of the proxy.config.ssl.client.verify.server feature in the plugin because the plugin (remap or otherwise) might do the wrong thing. So one alternative would be to add another entry to records.config e.g. proxy.config.ssl.client.verify.serverlist which is a list of domain names and/or IP addresses. If set and if the origin's IP or requested SNI is in the list, the verify feature is enabled. Perhaps @dcarlin would weigh in on this since he requested this feature. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632627#comment-14632627 ] ASF GitHub Bot commented on TS-3746: Github user ushachar commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-122602663 I'm with @jpeach on this one - allowing this to be configurable per transaction doesn't really make sense to me (it's not really like keep-alive -- once you do the validation and allow the connection, that's it - subsequent changes to the config won't have any meaning unless you're planning to implement a 'revalidation' API for existing connections). Why not just instruct the admin to add the specific server/CA cert to their trusted cert storage? That's far more secure then adding a hostname/IP based exception, and doesn't require any code change We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14632653#comment-14632653 ] ASF GitHub Bot commented on TS-3746: Github user sudheerv commented on the pull request: https://github.com/apache/trafficserver/pull/254#issuecomment-122609479 Agree with @ushachar - Transaction and Session/connection are not interchangeable (at least, not how I see it). Keep-Alive is a *transaction* level property (see more below), whereas, server validation is a *session* level property. Keep-Alive is allowed to be overridden in ATS, as it is a *HTTP* level property, which is defined/meant-to-be-used per transaction and the corresponding status (via *Connection* HTTP header) exchanged even in every transaction (consequently, it makes perfect sense to be associated per transaction). OTOH, server cert verification is not a *HTTP* level property, it is a TLS layer property and is applied at a session/connection level and should (can) not clearly be overridden per remap or even within a plugin per transaction. I'm fine to let that override per origin connection, which obviously requires maintaining separate sessions (verified vs non-verified) if server session sharing is to be supported. To that extent, even if session sharing is not supported to allow to let this feature be overridden per transaction, it still can not be allowed to be overridden per transaction (otherwise, how's that going to work with multiplexed transactions in a given session, if each Txn (in the same session) wants something different)? We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14625119#comment-14625119 ] James Peach commented on TS-3746: - Right, so if this transaction requires a verified TLS session, then you have to put back the session that was not verified and get a new one. When getting a new one you need to somehow communicate to the session manager that you need a verified session. I assume that if the transaction does not require a verified TLS, it is ok if it does actually get one? Note that this would prevent certain kinds of debugging, so the answer is not completely obvious to me. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Assignee: Dave Thompson Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14625047#comment-14625047 ] Susan Hinrichs commented on TS-3746: By the time you are taking an already existing session out of the pool, the certificate has been verified (or not). I guess you could set up remap rules for the same domain that resolve to the same origin server domain with conflicting values for the verify. So whether the origin server certificate is verified depends which remap rule initiated the connection. But if the user is really concerned about only verifying certs for one set of domains vs another, I wouldn't think he would write such a conflicting set of remap rules. Agreed just a list of origins would be more straightforward in some sense, but since so much already hangs on the remap rules that is kind of the obvious place for it in the minds of many current ATS deployers. [~persiaAziz] and [~davet] are testing a version using the override config approach. Should have a PR for review soon. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14623620#comment-14623620 ] James Peach commented on TS-3746: - This seems like a fraught endeavour since it implies that transactions need to additional criteria when taking sessions out of the session pool. Per origin makes much more sense, but the configuration for that is not obvious. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14622738#comment-14622738 ] Syeda Persia Aziz commented on TS-3746: --- Yes, per transaction We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14622785#comment-14622785 ] Susan Hinrichs commented on TS-3746: Are you asking why you don't just verify all certificates from all origins? That is what I would prefer from a security perspective. But from an organizational perspective, not everyone is ready to bet connectivity that all the verifying certs are distributed appropriately. Actually the override can be set from within a transaction, since this is the connection from ATS to the origin server which would only happen within the context of a transaction. We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14619430#comment-14619430 ] Leif Hedstrom commented on TS-3746: --- This is probably not as easy as it sounds, it's not an HttpSM configuration. I'd probably suggest that if you go through the headaches of setting up CAs and trust etc. such that you can enable this, why not just do it for everything? We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Labels: Yahoo Fix For: sometime We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Commented] (TS-3746) We need to make proxy.config.ssl.client.verify.server overridable
[ https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=14619406#comment-14619406 ] James Peach commented on TS-3746: - Overrideable in what sense? Per transaction? We need to make proxy.config.ssl.client.verify.server overridable - Key: TS-3746 URL: https://issues.apache.org/jira/browse/TS-3746 Project: Traffic Server Issue Type: New Feature Components: Configuration Reporter: Syeda Persia Aziz Labels: Yahoo We need to make proxy.config.ssl.client.verify.server overridable. Some origin servers need validation to avoid MITM attacks while others don't. -- This message was sent by Atlassian JIRA (v6.3.4#6332)