Re: SNI AND ATS

Sun, 28 Sep 2014 10:32:19 -0700 


Am 28.09.2014 um 19:29 schrieb Jason Strongman:
> bah.. it totally went over my head you can define multiple certificates to 
> the 'ssl_cert_name' param.
> 
> ssl_cert_name=FILENAME[,FILENAME ...]

for what reason?

you just tell ATS a list of certificates and based on
the SNI header and the CN they are presented to the client

> On Sun, Sep 28, 2014 at 12:24 PM, Reindl Harald <[email protected] 
> <mailto:[email protected]>> wrote:
> 
> 
>     Am 28.09.2014 um 19:15 schrieb Jason Strongman:
>     > When you say 'incoming' request, do you mean
>     >
>     > 1. client to ATS ?
>     > or
>     > 2. ATS to origin ?
>     >
>     > Based on my understanding of the multiple certificate documentation, to 
> support this configuration, ATS requires
>     > multiple IPs.
>     > Also based on my understanding, ATS does not support serving multiple 
> certificates if the TLS/SSL service only
>     > listens on one socket.
> 
>     no - the reason for SNI is to provide a hostname from the
>     client and ATS is choosing the correct certificate based
>     on that SNI name as well httpd does
> 
>     if you would need different IP's / sockets SNI would be pointless
>     the reason for SNI is that you need only one IP for multiple SSL sites
> 
>     hence MSIE on WinXP is not supported
> 
>     [root@testserver:~]$ cat /etc/trafficserver/ssl_multicert.config
>     ssl_cert_name=afi.testserver.rhsoft.net.pem
>     ssl_cert_name=contentlounge.testserver.rhsoft.net.pem
>     ssl_cert_name=mailadmin.testserver.rhsoft.net.pem
>     ssl_cert_name=rhsoft.testserver.rhsoft.net.pem
>     ssl_cert_name=testserver.rhsoft.net.pem
>     ssl_cert_name=uploadprogress.testserver.rhsoft.net.pem
>     ssl_cert_name=webmail.testserver.rhsoft.net.pem
> 
>     > On Sun, Sep 28, 2014 at 11:26 AM, Reindl Harald <[email protected] 
> <mailto:[email protected]>
>     <mailto:[email protected] <mailto:[email protected]>>> wrote:
>     >
>     >
>     >     Am 28.09.2014 um 18:24 schrieb Jason Strongman:
>     >     > Version - 4.2.1.1
>     >     > Mode - Reverse Proxy
>     >     >
>     >     > Objective: To support multiple SSL sites, each with their own 
> certificate, and only use one IP/Port.
>     >     > Does ATS support SNI for incoming requests as described in the 
> below links?
>     >
>     >     ATS supports *only* SNI for incoming requests

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to