That sounds like a bug and after looking through the code it does appear to be:
https://github.com/apache/trafficserver/blob/master/proxy/http/HttpSM.cc#L5046 That's the wrong value to use since it never gets overwritten here: https://github.com/apache/trafficserver/blob/master/proxy/http/remap/RemapProcessor.cc#L242 Can you please file a bug? Brian On Tue, Jan 17, 2017 at 1:56 PM Jeremy Payne <[email protected]> wrote: Hello, I currently have ATS configured to support a pristine host header. proxy.config.url_remap.pristine_host_hdr 1 I also have ATS configured to verify the origin server certificate. proxy.config.ssl.client.verify.server 1 My remap looks like this. map https://edge.abc.com/ https://origin.xyz.com/ Because pristine is enabled, when ATS sends a request back to the origin, it uses a SNI value of: edge.abc.com However, the origin returns a certificate that does not match the SNI. Because the requested SNI and the returned CN/SAN do not match, coupled with verify.server enabled, ATS terminates the origin session and sends a 502 back to the client. Is there another control or configuration that allows me to define which SNI value to send back to the origin ? I need to keep pristine enabled and I need verify.server enabled. Thanks in advance.
