ssl_server_name.yaml

Description

This file is used to configure aspects of TLS connection handling for both inbound and outbound connections. The configuration is driven by the SNI values provided by the inbound connection. The file consists of a set of configuration items, each identified by an SNI value (fqdn). When an inbound TLS connection is made, the SNI value from the TLS negotiation is matched against the items specified by this file and if there is a match, the values specified in that item override the defaults. This is done during the inbound connection processing and be some outbound properties can be overridden again later, such as via remap.config or plugins.

By default this is named ssl_server_name.yaml. The file can be changed by settting proxy.config.ssl.servername.filename. This file is loaded on start up and by traffic_ctl config reload if the file has been modified since process start.

The configuration file is yaml-based. After parsing the configuration, a list of tables will be the result. Each table is a set of key / value pairs that create a configuration item. This configuration file accepts wildcard entries. To apply an SNI based setting on all the servernames with a common upper level domain name, the user needs to enter the fqdn in the configuration with a *. followed by the common domain name. (*.yahoo.com for e.g.,).

Key	Meaning
fqdn	Fully Qualified Domain Name. This item is used if the SNI value matches this.
verify_origin_server	One of the values NONE, MODERATE, or STRICT. By default this is proxy.config.ssl.client.verify.server.
verify_client	One of the values NONE, MODERATE, or STRICT. By default this is proxy.config.ssl.client.certification_level.
client_cert	The client certificate to use for the outbound connection. If this is relative it is relative to the path in proxy.config.ssl.server.cert.path. If not set proxy.config.ssl.client.cert.filename is used.
disable_h2	true or false. If false then HTTP/2 is removed from the valid next protocol list. It is not an error to set this to false for proxy ports on which HTTP/2 is not enabled.
tunnel_route	Destination as an FQDN and port, separated by a colon :.
valid_tls_versions_in	This specifies the list of TLS protocols that will be offered to user agents during the TLS negotiaton. This replaces the global settings in proxy.config.ssl.TSLv1, proxy.config.ssl.TLSv1_1, proxy.config.ssl.TLSv1_2, and proxy.config.ssl.TLSv1_3. The potential values are TLSv1, TLSv1_1, TLSv1_2, and TLSv1_3. You must list all protocols that Traffic Server should offer to the client when using this key. This key is only valid for openssl 1.1.0 and later. Older versions of openssl do not provide a hook early enough to update the SSL object. It is a syntax error for Traffic Server built against earlier versions.

Client verification, via verify_client, correponds to setting proxy.config.ssl.client.certification_level for this connection as noted below.

NONE – 0

Do not request a client certificate, ignore it if one is provided.

MODERATE - 1

Request a client certificate and do verification if one is provided. The connection is denied if the verification of the client provided certificate fails.

STRICT - 2

Request a client certificate and require one to be provided and verified. If the verification fails the failure is logged to diags.log and the connection is denied.

Upstream (server) verification, via verify_origin_server, is similar to client verification except there is always an upstream certificate. This is equivalent to setting proxy.config.ssl.client.verify.server for this connection.

NONE - 0

Do not verify the upstream server certificate.

MODERATE - 2

Do verification of the upstream certificate but do not enforce. If the verification fails the failure is logged in diags.log but the connection is allowed.

STRICT - 1

Do verification of the upstream certificate. If verification fails, the failure is logged in diags.log and the connection is denied.

If tunnel_route is specified, none of the certificate verification will be done because the TLS negotiation will be tunneled to the upstream target, making those values irrelevant for that configuration item. This option is explained in more detail in SNI Routing.

Examples

Disable HTTP/2 for no-http2.example.com.

- fqdn: no-http2.example.com
  disable_h2: true

Require client certificate verification for example.com and any server name ending with .yahoo.com. Therefore, client request for a server name ending with yahoo.com (for e.g., def.yahoo.com, abc.yahoo.com etc.) will cause Traffic Server require and verify the client certificate. By contrast, Traffic Server will allow a client certficate to be provided for example.com and if it is, Traffic Server will require the certificate to be valid.

- fqdn: example.com
  verify_client: MODERATE
- fqdn: '*.yahoo.com'
  verify_client: STRICT

Disable outbound server certificate verification for trusted.example.com and require a valid client certificate.

- fqdn: trusted.example.com
  verify_origin_server: NONE
  verify_client: STRICT

See Also

SNI Routing