httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject connection reuse and ssl renegotiation
Date Tue, 22 Sep 2015 11:24:03 GMT
Just an update on this topic:

We currently allow only connection reuse for the server/vhost that was selected by the SNI,
thanks to the patch by Yann.

However, the problem is deeper than I originally thought: SSL renegotiation is forbidden in
HTTP/2, exactly due to concurrency issues. There is a debate currently on the http-wg mailing
list, what to do about it, especially for sites that use client certificates.

As Apache httpd, we can at the moment only advise server administrators to not enable HTTP/2
for servers/vhosts that make use of renegotiations. We should probably log an error when ap_get_protocol()
!= "http/1.1", when renegotiation is attempted. Anyone know the best place to put that?

ssl_hook_Access() seems the renegotiation monster. Not sure if I want to stick my fingers
in there. But this seems to be the place to check the protocol and make a log error (at least)?
Or do we make a connection_param_renegotiate hook that can stop renegotiation and set the
proper response on the request?

//Stefan

<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782




Mime
View raw message