Skip to content

Explain ATS's default SSL cert selection criteria #121

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jacksontj wants to merge 1 commit into from
Closed

Explain ATS's default SSL cert selection criteria #121

jacksontj wants to merge 1 commit into from

Conversation

@jacksontj
Copy link
Contributor

@jacksontj jacksontj commented Sep 25, 2014

No description provided.

@jpeach
Copy link
Contributor

jpeach commented Sep 25, 2014

That's not how it works. In all cases, we should be taking the longest match. If multiple certificates have the same matching specifier we should be issuing a warning and not loading the certificate.

@jacksontj
Copy link
Contributor Author

jacksontj commented Sep 25, 2014

Well, this is how it works regardless of how it should work...

But you should be able to specify multiple certs for a given IP (for
example) so sni clients can get the correct cert. It also makes sense to
have a fallback cert for clients that connect to such an IP and don't
support sni
On Sep 24, 2014 8:13 PM, "James Peach" notifications@github.com wrote:

That's not how it works. In all cases, we should be taking the longest
match. If multiple certificates have the same matching specifier we should
be issuing a warning and not loading the certificate.


Reply to this email directly or view it on GitHub
#121 (comment).

@jpeach
Copy link
Contributor

jpeach commented Sep 25, 2014

Each certificate is indexed by the subject CN, all the alternate names and the IP address given in ssl_multicert. When we try to match the client connection, we match the SNI name first, then fall back to the IP address.

@jacksontj
Copy link
Contributor Author

jacksontj commented Sep 25, 2014

But what happens if there are 2 found for the same IP address? Which one is
the fallback? That's all I'm trying to document is that there is an order
in which one is the fallback.
On Sep 24, 2014 8:55 PM, "James Peach" notifications@github.com wrote:

Each certificate is indexed by the subject CN, all the alternate names and
the IP address given in ssl_multicert. When we try to match the client
connection, we match the SNI name first, then fall back to the IP address.


Reply to this email directly or view it on GitHub
#121 (comment).

@jpeach
Copy link
Contributor

jpeach commented Sep 25, 2014

There's no such thing as a fallback; it's probably confusing to think of it in those terms. We index the certificate in order. In the case of name or address collisions, first certificate into the index is the winner. At lookup time, we search by SNI name, then by address. We always take the longs match, so an explicit name mapping beats a wildcard, and an address:port mapping beats an address mapping.

https://trafficserver.readthedocs.org/en/latest/reference/configuration/ssl_multicert.config.en.html#certificate-selection

@jacksontj
Copy link
Contributor Author

jacksontj commented Sep 25, 2014

Correct, and I'm just trying to say that if you have non sni clients its
first match wins (which it says). The second part is that the same
functionality is in reverse for * scopes (last match wins) for non sni
clients
On Sep 25, 2014 10:03 AM, "James Peach" notifications@github.com wrote:

There's no such thing as a fallback; it's probably confusing to think of
it in those terms. We index the certificate in order. In the case of name
or address collisions, first certificate into the index is the winner. At
lookup time, we search by SNI name, then by address. We always take the
longs match, so an explicit name mapping beats a wildcard, and an
address:port mapping beats an address mapping.

https://trafficserver.readthedocs.org/en/latest/reference/configuration/ssl_multicert.config.en.html#certificate-selection


Reply to this email directly or view it on GitHub
#121 (comment).

@jacksontj jacksontj force-pushed the master branch 2 times, most recently from 66c515a to 83c2a78 Compare December 16, 2014 02:02
@jacksontj jacksontj force-pushed the master branch 5 times, most recently from 00d624a to ac446ce Compare January 28, 2015 00:43
@jacksontj
Copy link
Contributor Author

jacksontj commented Jan 28, 2015

After talking with @jpeach it sounds like this isn't the case anymore. I'll verify what it does on master then update this PR. @jpeach has a patch which should fix this: http://fpaste.org/176424/22406097/

jacksontj added a commit to jacksontj/trafficserver that referenced this pull request Jan 28, 2015
@jacksontj
Add initial https tests
797c9d2 
Primarily around certificate loading since there were some questions brought up in apache#121
@jacksontj jacksontj mentioned this pull request Jan 28, 2015
Closed
jacksontj added a commit to jacksontj/trafficserver that referenced this pull request Jan 28, 2015
@jacksontj
Add initial https tests
21af908 
Primarily around certificate loading since there were some questions brought up in apache#121
asfgit pushed a commit that referenced this pull request Jan 28, 2015
@jacksontj @jpeach
Add initial https tests
a0a40c3 
Primarily around certificate loading since there were some questions brought up in #121
@jacksontj jacksontj closed this Jan 29, 2015
@jacksontj jacksontj reopened this Jan 29, 2015
@jacksontj jacksontj changed the title Explain ATS's interesting default SSL cert selection criteria Explain ATS's default SSL cert selection criteria Jan 29, 2015
@jacksontj
Copy link
Contributor Author

jacksontj commented Jan 29, 2015

@jpeach Now that it's been fixed upstream, this covers what I was going for

@asfgit asfgit closed this in f0db0a2 Jan 29, 2015
hnakamur pushed a commit to hnakamur/trafficserver that referenced this pull request Jan 4, 2016
@masaori335
Merge pull request apache#121 from hnakamur/update_doc_ja_with_master
bd201c6 
Update doc-ja branch with upstream/master
SolidWallOfCode pushed a commit to SolidWallOfCode/trafficserver that referenced this pull request May 7, 2016
Merge pull request apache#121 from Edge/buffer_overflow
69260a9 
Buffer overflow with the incoming port in the host header
SolidWallOfCode pushed a commit to SolidWallOfCode/trafficserver that referenced this pull request Mar 25, 2020
@shinrich
Merge pull request apache#121 from feid/7.1.x-thread_init
a436037 
Thread ready check
masaori335 added a commit to masaori335/trafficserver that referenced this pull request Sep 24, 2021
@masaori335
[PreWarming] Fix stats bugs (apache#121)
0a11a53 
* [PreWarming] Check config strictly if tunnel_prewarm is UNSET

* [PreWarming] Fix crash of exceeding proxy.config.tunnel.prewarm.max_stats_size

Co-authored-by: Masaori Koshiba <masaori@apache.org>
shinrich added a commit that referenced this pull request Jul 9, 2024
@shinrich
AVX-43612: Preserve CAP_NET_RAW on startup (#121)
39860c2
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jacksontj @jpeach