[
https://issues.apache.org/jira/browse/TS-3746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14625047#comment-14625047
]
Susan Hinrichs commented on TS-3746:
------------------------------------
By the time you are taking an already existing session out of the pool, the
certificate has been verified (or not).
I guess you could set up remap rules for the same domain that resolve to the
same origin server domain with conflicting values for the verify. So whether
the origin server certificate is verified depends which remap rule initiated
the connection.
But if the user is really concerned about only verifying certs for one set of
domains vs another, I wouldn't think he would write such a conflicting set of
remap rules.
Agreed just a list of origins would be more straightforward in some sense, but
since so much already hangs on the remap rules that is kind of the obvious
place for it in the minds of many current ATS deployers.
[~persiaAziz] and [~davet] are testing a version using the override config
approach. Should have a PR for review soon.
> We need to make proxy.config.ssl.client.verify.server overridable
> -----------------------------------------------------------------
>
> Key: TS-3746
> URL: https://issues.apache.org/jira/browse/TS-3746
> Project: Traffic Server
> Issue Type: New Feature
> Components: Configuration
> Reporter: Syeda Persia Aziz
> Labels: Yahoo
> Fix For: sometime
>
>
> We need to make proxy.config.ssl.client.verify.server overridable. Some
> origin servers need validation to avoid MITM attacks while others don't.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
