On Mon, Nov 19, 2018 at 3:43 PM Susan Hinrichs <shinr...@oath.com> wrote: > > Ok. I didn't know how to do lists in yaml.
I think both of you are right for the yaml syntax fruits: [apples, oranges, strawberries] is equivalent yaml to fruits: - apples - oranges - strawberries > I think you will still want to specify and enable list or a disable list > depending on the use case. It is highly unlikely that you will want an "all" > option. Many of the old, old protocols should never be enabled. +1. Seems like whenever I've found a whitelist to be useful, inevitably a blacklist has also become useful. (So, I'm +1 on the lists) I'm guessing the whitelist one would turn on that version for this context regardless of the global; and similarly, if a version is *not* mentioned in the whitelist, but on globally, it would be off for that context. I think I'd follow the records.config names as much as possible -- TLSv1_1 (from "proxy.config.ssl.TLSv1_1"). miles > On Mon, Nov 19, 2018 at 4:31 PM Alan Carroll <solidwallofc...@oath.com> wrote: >> >> I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with >> the special case of "tls-enable: all" where if it's not enabled, it's >> disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case the >> protocol levels are enabled by default. >> >> On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs <shinr...@apache.org> wrote: >>> >>> We currently have the ability to turn off HTTP/2 support on a per domain >>> basis via the disable_h2 option in ssl_server_name.yaml >>> >>> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html >>> >>> Folks have asked for a similar mechanism to not offer TLS protocols (e.g. >>> 1.3) for specific domain names. I can see use cases for adding or removing >>> from the default in records.config for very new protocols (e.g. the phone >>> app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some >>> critical set top boxes can only use TLSv1.0). >>> >>> We could have a separate toggle for each protocol. Directly mapping what >>> is in records.config. >>> >>> - fqdn: bob.com >>> enable_tls_v1_3: true/false >>> >>> Or we could try to have a list entry >>> >>> -fqdn: bob.com >>> enable_tls_protocols: >>> - tls_v1_3 >>> - tls_v1_2 >>> disable_tls_protocols: >>> -tls_v1.0 >>> >>> Please share your opinions. >>> >> >> >> -- >> Beware the fisherman who's casting out his line in to a dried up riverbed. >> Oh don't try to tell him 'cause he won't believe. Throw some bread to the >> ducks instead. >> It's easier that way. - Genesis : Duke : VI 25-28
