httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: HTTP_MISDIRECTED_REQUEST
Date Fri, 28 Aug 2015 08:54:59 GMT


On 08/28/2015 10:35 AM, Stefan Eissing wrote:
> 
>> Am 28.08.2015 um 10:32 schrieb Ruediger Pluem <rpluem@apache.org>:
>> On 08/28/2015 09:32 AM, Stefan Eissing wrote:
>>>
>>>> Am 28.08.2015 um 03:37 schrieb Roy T. Fielding <fielding@gbiv.com>:
>>>>> +                if (r->connection->keepalives > 0) {
>>>>> +                    return HTTP_MISDIRECTED_REQUEST;
>>>>> +                }
>>>>>                 return HTTP_BAD_REQUEST;
>>>>>             }
>>>>>         }
>>>>>
>>>> IIRC, it is applicable to HTTP/1.1 as well. Think misdirected requests containing
>>>> an absolute request URI that points to some other server.  I don't think
the conditional
>>>> is needed at all -- just return HTTP_MISDIRECTED_REQUEST.
>>>
>>> Thanks for clarifying this.
>>>
>>>> Hmm, I wonder how this impacts Google's desire to allow multiple hosts to
reuse
>>>> the same SPDY connection ... was that dropped for h2?
>>>
>>> It wasn't. Our implementation currently just goes the easy way. It needs to check
that server/vhost from request and SNI indeed use the same certificate and if not, maybe even
if altnames/wildcards match. But I am not sure that is a good idea.
>>
>> The issue is a little bit more complex. You need to ensure that the server/vhost
from the request is using the same SSL
>> parameters as the SNI host like protocols, ciphers, etc. Otherwise you would need
to renegotiate. And as far as I
>> remember some parameters are not renegotiable. See comments above this code.
> 
> Hmm, I see. Since you know this more intimate than me: is checking the mod_ssl config
of both for equality of certain members the way to solve this? It should either have the individual
settings or the merged ones from the base server, right?

Interesting approach. I hope our SSL experts will chime in :-).
And yes the configs should have the individual settings or the merged ones from the base server
which could be the
default values.

Regards

RĂ¼diger


> 
> 
> 

Mime
View raw message