Looking for opinions on additions to ssl_server

Discussion:

Looking for opinions on additions to ssl_server_name.yaml

Susan Hinrichs

2018-11-19 22:10:49 UTC

We currently have the ability to turn off HTTP/2 support on a per domain
basis via the disable_h2 option in ssl_server_name.yaml

https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html

Folks have asked for a similar mechanism to not offer TLS protocols (e.g.
1.3) for specific domain names. I can see use cases for adding or removing
from the default in records.config for very new protocols (e.g. the phone
app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some
critical set top boxes can only use TLSv1.0).

We could have a separate toggle for each protocol. Directly mapping what
is in records.config.

- fqdn: bob.com
enable_tls_v1_3: true/false

Or we could try to have a list entry

-fqdn: bob.com
enable_tls_protocols:
- tls_v1_3
- tls_v1_2
disable_tls_protocols:
-tls_v1.0

Please share your opinions.

Alan Carroll

2018-11-19 22:30:43 UTC

Permalink

I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with
the special case of "tls-enable: all" where if it's not enabled, it's
disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case
the protocol levels are enabled by default.

Post by Susan Hinrichs
We currently have the ability to turn off HTTP/2 support on a per domain
basis via the disable_h2 option in ssl_server_name.yaml
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html
Folks have asked for a similar mechanism to not offer TLS protocols (e.g.
1.3) for specific domain names. I can see use cases for adding or removing
from the default in records.config for very new protocols (e.g. the phone
app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some
critical set top boxes can only use TLSv1.0).
We could have a separate toggle for each protocol. Directly mapping what
is in records.config.
- fqdn: bob.com
enable_tls_v1_3: true/false
Or we could try to have a list entry
-fqdn: bob.com
- tls_v1_3
- tls_v1_2
-tls_v1.0
Please share your opinions.

--
*Beware the fisherman who's casting out his line in to a dried up riverbed.*
*Oh don't try to tell him 'cause he won't believe. Throw some bread to the
ducks instead.*
*It's easier that way. *- Genesis : Duke : VI 25-28

Susan Hinrichs

2018-11-19 23:43:29 UTC

Permalink

Ok. I didn't know how to do lists in yaml. I think you will still want to
specify and enable list or a disable list depending on the use case. It is
highly unlikely that you will want an "all" option. Many of the old, old
protocols should never be enabled.

Post by Alan Carroll
I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with
the special case of "tls-enable: all" where if it's not enabled, it's
disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case
the protocol levels are enabled by default.

Miles Libbey

2018-11-20 00:18:44 UTC

Permalink

Post by Susan Hinrichs
Ok. I didn't know how to do lists in yaml.

I think both of you are right for the yaml syntax
fruits: [apples, oranges, strawberries]
is equivalent yaml to
fruits:
- apples
- oranges
- strawberries

Post by Susan Hinrichs
I think you will still want to specify and enable list or a disable list depending on the use case. It is highly unlikely that you will want an "all" option. Many of the old, old protocols should never be enabled.

+1. Seems like whenever I've found a whitelist to be useful,
inevitably a blacklist has also become useful. (So, I'm +1 on the
lists)

I'm guessing the whitelist one would turn on that version for this
context regardless of the global; and similarly, if a version is *not*
mentioned in the whitelist, but on globally, it would be off for that
context.

I think I'd follow the records.config names as much as possible --
TLSv1_1 (from "proxy.config.ssl.TLSv1_1").
miles

Post by Susan Hinrichs

I don't like either. I'd prefer "tls-enable: [ 1_0, 1_1, 1_2, 1_3 ]" with the special case of "tls-enable: all" where if it's not enabled, it's disabled. Or, if separate flags, "tls_1_3: enable/disable" in which case the protocol levels are enabled by default.

We currently have the ability to turn off HTTP/2 support on a per domain basis via the disable_h2 option in ssl_server_name.yaml
https://docs.trafficserver.apache.org/en/latest/admin-guide/files/ssl_server_name.yaml.en.html
Folks have asked for a similar mechanism to not offer TLS protocols (e.g. 1.3) for specific domain names. I can see use cases for adding or removing from the default in records.config for very new protocols (e.g. the phone app for a domain doesn't handle TLSv1.3) or very old protocols (e.g. some critical set top boxes can only use TLSv1.0).
We could have a separate toggle for each protocol. Directly mapping what is in records.config.
- fqdn: bob.com
enable_tls_v1_3: true/false
Or we could try to have a list entry
-fqdn: bob.com
- tls_v1_3
- tls_v1_2
-tls_v1.0
Please share your opinions.

--
Beware the fisherman who's casting out his line in to a dried up riverbed.
Oh don't try to tell him 'cause he won't believe. Throw some bread to the ducks instead.
It's easier that way. - Genesis : Duke : VI 25-28