Got it, so we need something like CONFIG proxy.config.ssl.*server*.*
parameters? Thanks Adi On Wed, Jul 6, 2016 at 3:37 PM, James Peach <[email protected]> wrote: > > > On Jul 6, 2016, at 3:31 PM, Adi Mallikarjuna Reddy V < > [email protected]> wrote: > > > > I think that explains the behavior. > > > > Then why do we have two flags? > > CONFIG proxy.config.ssl.TLSv1 and CONFIG proxy.config.ssl.client.TLSv1 > > This was added in https://issues.apache.org/jira/browse/TS-2924. > > > > https://github.com/apache/trafficserver/blob/master/iocore/net/SSLConfig.cc#L183 > > > > On Wed, Jul 6, 2016 at 3:27 PM, James Peach <[email protected]> wrote: > > > > > On Jul 6, 2016, at 3:18 PM, Adi Mallikarjuna Reddy V < > [email protected]> wrote: > > > > > > When I turn off tls1 with > > > CONFIG proxy.config.ssl.TLSv1 INT 0 > > > I see > > > openssl s_client -debug -connect example.net:443 -tls1 > > > Fails as expected, but connection to origin also fails with 502 code. > Browser sees 502 success. > > > > > > This is when I started looking at the other flags to see if turning > off tls1 at ATS affects connection to origin also. > > > > Ah I see. It looks like proxy.config.ssl.TLSv1 is applied to both client > and server TLS sessions. Can you please file a bug? AFAICT it has always > been like this, but it doesn't really make sense imho ... > > > > > Thanks > > > Adi > > > > > > On Wednesday, July 6, 2016, James Peach <[email protected]> wrote: > > > > > > > On Jul 6, 2016, at 2:28 PM, Adi Mallikarjuna Reddy V < > [email protected]> wrote: > > > > > > > > we are trying to do > > > > > > > > map https://foo.com https://origin.foo.com > > > > > > > > where foo.com has TLSv1 disabled and origin.foo.com has TLS1 > enabled. > > > > > > > > To achieve this I am trying to set > > > > CONFIG proxy.config.ssl.TLSv1 INT 0 > > > > and > > > > CONFIG proxy.config.ssl.client.TLSv1 INT 1 > > > > > > > > Ideally this should make browser to ATS connection with TLS1.1 or > TLS1.2 and ATS to origin on TLS1/TLS1.1/TLS1.2. > > > > > > > > > > > > It's not working as expected. > > > > > > What is the behaviour you are seeing? > > > > > > I turned off proxy.config.ssl.TLSv1, and the following fails as > expected > > > $ openssl s_client -debug -connect example.net:443 -no_tls1_1 > -no_tls1_2 > > > > > > However OpenSSL sends a 1.0 handshake if I do this: > > > $ openssl s_client -debug -connect example.net:443 -no_tls1_1 > > > > > > I have to explicitly enable 1.2: > > > $ openssl s_client -debug -connect example.net:443 -no_tls1_1 > -tls1_2 > > > > > > J > > > > > > > > > -- > > > Sent from Mobile > > > > > >
