Possibly. I would need to look at when the ALPN negotiation happens. However, the protocol options on the SSL object seems to get sticky really fast, so I wouldn't hold my breath.
On Wed, Jan 16, 2019 at 7:56 PM Leif Hedstrom <zw...@apache.org> wrote: > > > > On Jan 16, 2019, at 4:33 PM, Susan Hinrichs <shinr...@apache.org> wrote: > > > > I know that I had a discussion on this with Miles and Alan, but I can > find > > no written record. The desire is on a per domain (SNI) basis alter the > set > > of TLS protocols that ATS is willing to accept. > > > > I put up a PR with an addition to ssl_server_name.yaml to do this. There > > is documentation in the PR and an example in the autest. > > > > One caveat is this only works in openssl 1.1.1 or better. We need very > > early callback to alter how the SSL structure is interpreted. openssl > > 1.1.1 adds a client_hello callback which does the trick. > > > > https://github.com/apache/trafficserver/pull/4815 > > > > Comments on the PR appreciated. > > > Cool! > > Can this (later) be generalized to also allow ALPN negotiations to dictate > protocol features? For example, HTTP/2 dictates that only TLS v1.2 or later > is to be used, something that we (ATS) do not enforce at this point? At > least I don’t think we do? There’s also a long blacklist of cipher suites > for HTTP/2. > > Cheers, > > — Leif > >
