Ok. I didn't know how to do lists in yaml. I think you will still want to specify and enable list or a disable list depending on the use case. It is highly unlikely that you will want an "all" option. Many of the old, old protocols should never be enabled.
On Mon, Nov 19, 2018 at 4:31 PM Alan Carroll <[email protected]> wrote: > I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with > the special case of "tls-enable: all" where if it's not enabled, it's > disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case > the protocol levels are enabled by default. > > On Mon, Nov 19, 2018 at 4:11 PM Susan Hinrichs <[email protected]> > wrote: > >> We currently have the ability to turn off HTTP/2 support on a per domain >> basis via the disable_h2 option in ssl_server_name.yaml >> >> >> https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html >> >> Folks have asked for a similar mechanism to not offer TLS protocols (e.g. >> 1.3) for specific domain names. I can see use cases for adding or removing >> from the default in records.config for very new protocols (e.g. the phone >> app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some >> critical set top boxes can only use TLSv1.0). >> >> We could have a separate toggle for each protocol. Directly mapping what >> is in records.config. >> >> - fqdn: bob.com >> enable_tls_v1_3: true/false >> >> Or we could try to have a list entry >> >> -fqdn: bob.com >> enable_tls_protocols: >> - tls_v1_3 >> - tls_v1_2 >> disable_tls_protocols: >> -tls_v1.0 >> >> Please share your opinions. >> >> > > -- > *Beware the fisherman who's casting out his line in to a dried up > riverbed.* > *Oh don't try to tell him 'cause he won't believe. Throw some bread to the > ducks instead.* > *It's easier that way. *- Genesis : Duke : VI 25-28 >
