shinrich opened a new pull request #6690: URL: https://github.com/apache/trafficserver/pull/6690
The current logic will apply the host name and SNI name match check of the host name would have triggered a SNI policy for verify_client or tls_versions. After working with this in production @djcarlin ran into issues with the tls_versions. If the original connection negotiated TLS v1.3 but the SNI policy corresponding to the current host name would have only offered TLS 1.2, should we deny it? Or only deny of the version was lower than the specified policy. Ultimately we probably need a properties control here too. In the short term, I suggest leaving the enforcement only for the client certificate policies. As we gain experience, we can augment this configuration control or maybe go to something completely different. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
