> On Nov 8, 2016, at 1:17 PM, Leif Hedstrom <zw...@apache.org> wrote: > > Hi all, > > I know this has been discussed many times before, but it keeps coming back to > bite me in ugly ways. Right now, there’s no way (other than plugin code) to > make TLS behave differently based on the SSL context (the line in > ssl_multicert.config that matched the SNI or IP). This is a real drag, and a > serious shortcoming IMO. The way I see things, ssl_mulitcert.config is to TLS > as what remap.config is to HTTP, but we don’t treat it as such for some > reason. > > So, what I need right now are two things, but I can see this getting expanded > in the future: > > 1) Custom ALPN negotiation for a context (say, don’t allow H2 on a cert) > > 2) Custom TLS protocol settings for a context (say, turn off TLSv1.0 on a > cert) > > > So, something like this (just for show, not a proposal): > > ssl_cert_name=ogre.crt ssl_key_name=ogre.key ssl_ca_name=ca.crt > protocols=tlsv1.1,tlsv1.2 alpn=h2,https > > > The settings in records.config then becomes global defaults for those > contexts which lack explicit rules.
My thoughts on this are/were in https://issues.apache.org/jira/browse/TS-2773. Allow all the SSL configurations to be overridden per-certificate. This doesn’t address client certificates, which are severely limited. Alternatively, lua snippets ;) J
