Am 01.02.2014 16:37, schrieb Leif Hedstrom: > I just upgraded to latest master, and noticed that our behavior has changed > related to how certs are “negotiated”. This is related to TS-2031 I believe. > > What it meant for me was that I had to reorder a couple of rules in > ssl_multicert.config for the sites to work as expected. I’m sure this is a > pretty unusual case, so I’m probably ok to just document this (visibly, in > the v4.2.0 release) notes. But I’m interested to hear what others using SSL > has to say about this? It technically does break backwards compatibility, > since a config that used to work with v4.1.3 will not work with v4.2.0. > > Or should we play it safe, and move TS-2031 over to 5.0.x?
please elaborate the changes for "ssl_multicert.config" if the changes results in specify the hostnames explicit in "ssl_multicert.config" i would even support the change because i am not a big friend of magic if it comes to server-configurations, in case there are two certificates used valid for the same hostnames you are missing the control which hostname should use which cert that would also make it possible to have a default ssl host for client without SNI support - the first listed one like httpd does, i fear even after april there are too much clients staing on WinXP or Java6 which makes me a little worry __________________________________ current config [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config ssl_cert_name=subdomain1.example.com ssl_ca_name=godaddy_ca_sha1.crt ssl_cert_name=wildcard.pem ssl_ca_name=godaddy_ca_sha256.crt __________________________________ that's what i would dream about because that get's really interesting if you have a SHA1 and a SHA256 wildcard-certificate in the game and need to decide where to use which one which may depened on how many legacy clients a project expects [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config ssl_hostname=subdomain1.example.com ssl_cert_name=subdomain1.example.com.pem ssl_ca_name=godaddy_ca_sha1.crt ssl_hostname=subdomain2.example.com ssl_cert_name=wildcard_sha256.pem ssl_ca_name=godaddy_ca_sha256.crt ssl_hostname=subdomain3.example.com ssl_cert_name=wildcard_sha1.pem ssl_ca_name=godaddy_ca_sha1.crt
signature.asc
Description: OpenPGP digital signature
