httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject Re: HTTP_MISDIRECTED_REQUEST
Date Fri, 28 Aug 2015 08:35:02 GMT

> Am 28.08.2015 um 10:32 schrieb Ruediger Pluem <rpluem@apache.org>:
> On 08/28/2015 09:32 AM, Stefan Eissing wrote:
>> 
>>> Am 28.08.2015 um 03:37 schrieb Roy T. Fielding <fielding@gbiv.com>:
>>>> +                if (r->connection->keepalives > 0) {
>>>> +                    return HTTP_MISDIRECTED_REQUEST;
>>>> +                }
>>>>                 return HTTP_BAD_REQUEST;
>>>>             }
>>>>         }
>>>> 
>>> IIRC, it is applicable to HTTP/1.1 as well. Think misdirected requests containing
>>> an absolute request URI that points to some other server.  I don't think the
conditional
>>> is needed at all -- just return HTTP_MISDIRECTED_REQUEST.
>> 
>> Thanks for clarifying this.
>> 
>>> Hmm, I wonder how this impacts Google's desire to allow multiple hosts to reuse
>>> the same SPDY connection ... was that dropped for h2?
>> 
>> It wasn't. Our implementation currently just goes the easy way. It needs to check
that server/vhost from request and SNI indeed use the same certificate and if not, maybe even
if altnames/wildcards match. But I am not sure that is a good idea.
> 
> The issue is a little bit more complex. You need to ensure that the server/vhost from
the request is using the same SSL
> parameters as the SNI host like protocols, ciphers, etc. Otherwise you would need to
renegotiate. And as far as I
> remember some parameters are not renegotiable. See comments above this code.

Hmm, I see. Since you know this more intimate than me: is checking the mod_ssl config of both
for equality of certain members the way to solve this? It should either have the individual
settings or the merged ones from the base server, right?

//Stefan

<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782




Mime
View raw message