Allow origins to do TLS renegotiation#10385
Merged
bryancall merged 4 commits intoapache:masterfrom Sep 13, 2023
Merged
Conversation
Contributor
Author
|
This commit has the logic change: ede1f34 the rest of the PR is just cleanup. |
Member
|
Logic seems reasonable. Do we want to make this configurable? I dimly recall that renegotiation is frowned up these days. If it is configurable, I assume that is something we can set during the TLS negotiation to indicate whether the client will handle renegotiations. Oh I see the 10 year old article you reference does discuss some of the renegotiation concerns. |
shinrich
approved these changes
Sep 11, 2023
Member
shinrich
left a comment
shinrich
left a comment
There was a problem hiding this comment.
Server initiated renegotiation is less concerning.
cmcfarlen
pushed a commit
to cmcfarlen/trafficserver
that referenced
this pull request
Jun 3, 2024
cmcfarlen
pushed a commit
to cmcfarlen/trafficserver
that referenced
this pull request
Jun 3, 2024
* commit '236b749b2b3cc746829ad534a7034ab7799d1b71': Allow origins to do TLS renegotiation (apache#10385) Remove deprecated debug output functions from 21 source files. (apache#9683) Fixes some make test build problems (apache#10402) Removes unused Errata functions from WCCP (apache#10380) Move InkAPI.cc into src/api (apache#10315) cmake: Generate files in rc, install the trafficserver script (apache#10367) Add support for OCSP requests by GET method (apache#10306) Preserve unmapped url regardless of need for remapping (apache#10304) Add TSVConnFdGet api (apache#10324) include/ts: comma on all last enum elements (apache#10400) cmake: Add remaining plugins without external deps (apache#10395) CID-1508974 (apache#10397) CID-1508987 (apache#10398) Coverity 1518564: fix off by one (apache#10401)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ran into an issue where IIS will do a TLS renegotiation after the first request is made. Since the handshake has already been completed it is failing this check.
CI has a test for TS_SSL_VERIFY_SERVER_HOOK and I will see if this change breaks that functionality.
Discussion about IIS: https://security.stackexchange.com/questions/24554/should-i-use-ssl-tls-renegotiation