BTW: what speaks agains having "ssl_cert_name=subdomain1.example.com.pem ssl_ca_name=godaddy_ca_sha1.crt" in "remap.config" optional and make "ssl_multicert.config" no longer mandatory but still possible?
map https://s1.example.com http://o1.example.com ssl_cert_name=s1.example.pem ssl_ca_name=ca.crt Am 01.02.2014 16:49, schrieb Reindl Harald: > > Am 01.02.2014 16:37, schrieb Leif Hedstrom: >> I just upgraded to latest master, and noticed that our behavior has changed >> related to how certs are “negotiated”. This is related to TS-2031 I believe. >> >> What it meant for me was that I had to reorder a couple of rules in >> ssl_multicert.config for the sites to work as expected. I’m sure this is a >> pretty unusual case, so I’m probably ok to just document this (visibly, in >> the v4.2.0 release) notes. But I’m interested to hear what others using SSL >> has to say about this? It technically does break backwards compatibility, >> since a config that used to work with v4.1.3 will not work with v4.2.0. >> >> Or should we play it safe, and move TS-2031 over to 5.0.x? > > please elaborate the changes for "ssl_multicert.config" > > if the changes results in specify the hostnames explicit in > "ssl_multicert.config" > i would even support the change because i am not a big friend of magic if it > comes to server-configurations, in case there are two certificates used valid > for > the same hostnames you are missing the control which hostname should use > which cert > > that would also make it possible to have a default ssl host for client without > SNI support - the first listed one like httpd does, i fear even after april > there are too much clients staing on WinXP or Java6 which makes me a little > worry > __________________________________ > > current config > > [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config > ssl_cert_name=subdomain1.example.com ssl_ca_name=godaddy_ca_sha1.crt > ssl_cert_name=wildcard.pem ssl_ca_name=godaddy_ca_sha256.crt > __________________________________ > > that's what i would dream about because that get's really interesting if you > have > a SHA1 and a SHA256 wildcard-certificate in the game and need to decide where > to > use which one which may depened on how many legacy clients a project expects > > [root@localhost:~]$ cat /etc/trafficserver/ssl_multicert.config > ssl_hostname=subdomain1.example.com ssl_cert_name=subdomain1.example.com.pem > ssl_ca_name=godaddy_ca_sha1.crt > ssl_hostname=subdomain2.example.com ssl_cert_name=wildcard_sha256.pem > ssl_ca_name=godaddy_ca_sha256.crt > ssl_hostname=subdomain3.example.com ssl_cert_name=wildcard_sha1.pem > ssl_ca_name=godaddy_ca_sha1.crt
signature.asc
Description: OpenPGP digital signature
