Yes, we need to map out hook points for the client hello. What do you mean by "will a hook play nice with the defined actions" ?
The vconn_start and vconn_close hooks have landed. We've back ported them to our branch and are using vconn_close in one of our plugins (which is in a PR back to open source https://github.com/apache/trafficserver/pull/4805) On Thu, Jan 17, 2019 at 11:42 AM Kees Spoelstra <kspoels...@we-amp.com> wrote: > Great... > > This is exactly the location to do all the nasty stuff, this callback > happens before all the other callbacks and you should be able to setup some > stuff for the following callbacks. > > @Susan : are there plans to make the client hello callback an async hook > for plugins? We were planning to do this when OpenSSL 1.1.1 was common, as > it solves a lot of cases where you want to limit protocols and ALPN > negotiations.... > And will a hook play nice with the defined actions? > > I haven't kept an eye on the connection level data and lifecycle hooks for > plugins, as you would need this in a plugin to maybe propogate some context > , has this been merged? > > > > > > On Thu, 17 Jan 2019 at 18:03, Susan Hinrichs <shinr...@oath.com.invalid> > wrote: > > > Possibly. I would need to look at when the ALPN negotiation happens. > > However, the protocol options on the SSL object seems to get sticky > really > > fast, so I wouldn't hold my breath. > > > > On Wed, Jan 16, 2019 at 7:56 PM Leif Hedstrom <zw...@apache.org> wrote: > > > > > > > > > > > > On Jan 16, 2019, at 4:33 PM, Susan Hinrichs <shinr...@apache.org> > > wrote: > > > > > > > > I know that I had a discussion on this with Miles and Alan, but I can > > > find > > > > no written record. The desire is on a per domain (SNI) basis alter > the > > > set > > > > of TLS protocols that ATS is willing to accept. > > > > > > > > I put up a PR with an addition to ssl_server_name.yaml to do this. > > There > > > > is documentation in the PR and an example in the autest. > > > > > > > > One caveat is this only works in openssl 1.1.1 or better. We need > very > > > > early callback to alter how the SSL structure is interpreted. > openssl > > > > 1.1.1 adds a client_hello callback which does the trick. > > > > > > > > https://github.com/apache/trafficserver/pull/4815 > > > > > > > > Comments on the PR appreciated. > > > > > > > > > Cool! > > > > > > Can this (later) be generalized to also allow ALPN negotiations to > > dictate > > > protocol features? For example, HTTP/2 dictates that only TLS v1.2 or > > later > > > is to be used, something that we (ATS) do not enforce at this point? At > > > least I don’t think we do? There’s also a long blacklist of cipher > suites > > > for HTTP/2. > > > > > > Cheers, > > > > > > — Leif > > > > > > > > >
