> On Jan 16, 2019, at 4:33 PM, Susan Hinrichs <shinr...@apache.org> wrote:
>
> I know that I had a discussion on this with Miles and Alan, but I can find
> no written record. The desire is on a per domain (SNI) basis alter the set
> of TLS protocols that ATS is willing to accept.
>
> I put up a PR with an addition to ssl_server_name.yaml to do this. There
> is documentation in the PR and an example in the autest.
>
> One caveat is this only works in openssl 1.1.1 or better. We need very
> early callback to alter how the SSL structure is interpreted. openssl
> 1.1.1 adds a client_hello callback which does the trick.
>
> https://github.com/apache/trafficserver/pull/4815
>
> Comments on the PR appreciated.
Cool!
Can this (later) be generalized to also allow ALPN negotiations to dictate
protocol features? For example, HTTP/2 dictates that only TLS v1.2 or later is
to be used, something that we (ATS) do not enforce at this point? At least I
don’t think we do? There’s also a long blacklist of cipher suites for HTTP/2.
Cheers,
— Leif
