Our current cp nodes are using nginx for TLS termination. Over time several patches have been added to our custom packaging of nginx regarding TLS:
- 0100-dynamic-tls-records.patch: https://docs.trafficserver.apache.org/en/8.0.x/admin-guide/files/records.config.en.html#proxy-config-ssl-max-record-size --> allow proxy.config.ssl.max_record_size to be configured as part of the in the inbound TLS puppetization
- 0500-ssl-curve.patch: https://github.com/apache/trafficserver/pull/5197
- 0600-stapling-multi-file.patch: https://github.com/apache/trafficserver/pull/5228
- 0660-version-too-low.patch. Not needed as mentioned by @BBlack in the comments
We need to check what's the current status of ATS regarding these matters and if it can it be brought up to speed to use it as our TLS terminator