Looks reasonable to me. Some configs in the sni.yaml have almost the same behavior, overriding records.config (yaml) from sni.yaml. - e.g. verify_server_policy, verify_server_properties.
Do you have any concerns with this approach? — Masaori On Wed, May 24, 2023 at 5:14 AM Fei Deng <duke8...@apache.org> wrote: > Hi All, > > It's been requested that the configuration for 0-RTT early data needs to be > changeable per SNI. I've been working on this feature, and the following > example shows the changes I made. Please share your thoughts on this. > > Note: > > 1. The old config still exists, it is a general setting for all tls > connections. > 2. sni.yaml can enable/disable 0-rtt per fqdn, this acts as an override > of the general config. > > Examples: > > 1. proxy.config.ssl.server.max_early_data = 16384 > - blank sni.yaml -> old behavior, all connections support 0-rtt > - sni.yaml specifies server_max_early_data = 0 for example.com -> > 0-rtt disabled for example.com, all other connections support 0-rtt > 2. proxy.config.ssl.server.max_early_data = 0 > - blank sni.yaml -> old behavior, all connections doesn't support > 0-rtt > - sni.yaml specifies server_max_early_data = 16384 for example.com > -> 0-rtt enabled only for example.com, all other connections doesn’t > support 0-rtt >
