I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with the special case of "tls-enable: all" where if it's not enabled, it's disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case the protocol levels are enabled by default.
On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs <[email protected]> wrote: > We currently have the ability to turn off HTTP/2 support on a per domain > basis via the disable_h2 option in ssl_server_name.yaml > > > https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html > > Folks have asked for a similar mechanism to not offer TLS protocols (e.g. > 1.3) for specific domain names. I can see use cases for adding or removing > from the default in records.config for very new protocols (e.g. the phone > app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some > critical set top boxes can only use TLSv1.0). > > We could have a separate toggle for each protocol. Directly mapping what > is in records.config. > > - fqdn: bob.com > enable_tls_v1_3: true/false > > Or we could try to have a list entry > > -fqdn: bob.com > enable_tls_protocols: > - tls_v1_3 > - tls_v1_2 > disable_tls_protocols: > -tls_v1.0 > > Please share your opinions. > > -- *Beware the fisherman who's casting out his line in to a dried up riverbed.* *Oh don't try to tell him 'cause he won't believe. Throw some bread to the ducks instead.* *It's easier that way. *- Genesis : Duke : VI 25-28
