[jira] [Commented] (TS-1147) deprecate records.config SSL configuration

Tue, 03 Apr 2012 06:10:57 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-1147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13245296#comment-13245296
 ] 

Igor Galić commented on TS-1147:
--------------------------------

I suppose you'll only leave {{proxy.config.http.server_ports 443:ssl}} in 
{{records.config}}

What about the default certificate that {{records.config}} still configures?
It needs to be configured if one *really* wants SSL enabled, even if all of the 
real hosts are taken care of by {{ssl_multicert.config}}.

Now, in certain cases this might even make sense - someone accesses a proxy via 
{{HTTPS}}, asking for a host this proxy does not serve. Do we terminate the TLS 
session? Do we finish the TLS handshake offering a default certificate and 
returning the RFC compliant 400 HTTP code?

Here's what we do now, which begs the question why, exactly, we need the 
default certificate:
{noformat}
i.galic@pheme ~ % curl -vk -H'Host: this-is-a-bad-example.at' 
https://176.9.55.235:443/
* About to connect() to 176.9.55.235 port 443 (#0)
*   Trying 176.9.55.235... connected
* Connected to 176.9.55.235 (176.9.55.235) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: none
  CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* Unknown SSL protocol error in connection to 176.9.55.235:443
* Closing connection #0
curl: (35) Unknown SSL protocol error in connection to 176.9.55.235:443
35 i.galic@pheme ~ % 
{noformat}
                
> deprecate records.config SSL configuration
> ------------------------------------------
>
>                 Key: TS-1147
>                 URL: https://issues.apache.org/jira/browse/TS-1147
>             Project: Traffic Server
>          Issue Type: Improvement
>          Components: SSL
>            Reporter: James Peach
>            Assignee: James Peach
>            Priority: Minor
>             Fix For: 3.1.5
>
>
> Since ssl_multicert.config is a strict superset of the SSL certificate 
> configuration in records.config, we should deprecate configuring SSL 
> certificates in records.config and make ssl_multicert.config the One True Way.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: 
https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to