I know that I had a discussion on this with Miles and Alan, but I can find no written record. The desire is on a per domain (SNI) basis alter the set of TLS protocols that ATS is willing to accept.
I put up a PR with an addition to ssl_server_name.yaml to do this. There is documentation in the PR and an example in the autest. One caveat is this only works in openssl 1.1.1 or better. We need very early callback to alter how the SSL structure is interpreted. openssl 1.1.1 adds a client_hello callback which does the trick. https://github.com/apache/trafficserver/pull/4815 Comments on the PR appreciated.
