httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject RFC 7540 (HTTP/2) wrt reusable connections and SNI
Date Mon, 08 Jun 2015 13:43:25 GMT
It was raised by Stefan Eissing in [1] that HTTP/2 (not surprisingly)
encourages UA/clients to reuse established connections even for
differents hostnames, provided they "resolve to the same IP address
and wildcard certs or matching alternate names in the certificate to
match".

This obviously is not compatible with our strict checking of the SNI
against the Host header...

And I also fail to see how this will help servers with different
(configured) SSL parameters (like SSLProtocol,
SSLVerify{Client,Depth}, SSLCA*, ...), some of which cannot be
renegotiated "due to current limitations in OpenSSL" according to the
comment in the corresponding mod_ssl code.

What's the point of SNI if it can be used to select the correct vhost
before the handshake (modulo the port...), but TLS must possibly be
renegotiated later for subsequent requests??

Thoughts?

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58007#c9

Mime
View raw message