httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Eissing <stefan.eiss...@greenbytes.de>
Subject Re: svn commit: r1695727 - in /httpd/httpd/trunk: docs/manual/mod/core.xml include/http_core.h server/core.c server/protocol.c
Date Wed, 02 Sep 2015 17:54:59 GMT
If we want to be more safe, we can change the Protocols default to just http/1.1. Also the
default for ordering we can change, np. 

Other opinions? 

For ALPN, afaik the callback only gets triggered if the client actually sends ALPN in its
hello. Since "http/1.1" is the only identifier defined in the standard (for http version <
2), we cannot send any 1.0 or 0.9. And if the client does, it's an unidentified thing. ALPN
says that the server is free to select even a protocol not mentioned in the client hello.
So sending back "http/1.1" in case server/client wishes do not overlap is fine too. Either
the client reconsiders or closes the connection. 

Legacy clients will not send ALPN, so the whole handshake will work as before. (modulo bugs)

> Am 02.09.2015 um 18:20 schrieb Yann Ylavic <ylavic.dev@gmail.com>:
> 
>> On Thu, Aug 13, 2015 at 5:33 PM,  <icing@apache.org> wrote:
>> Author: icing
>> Date: Thu Aug 13 15:33:07 2015
>> New Revision: 1695727
>> 
>> URL: http://svn.apache.org/r1695727
>> Log:
>> new directive ProtocolsHonorOrder, added documentation for Protocols feature, changed
preference selection and config merging
>> 
>> Modified:
>>    httpd/httpd/trunk/docs/manual/mod/core.xml
> []
>> 
>> Modified: httpd/httpd/trunk/docs/manual/mod/core.xml
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.xml?rev=1695727&r1=1695726&r2=1695727&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/docs/manual/mod/core.xml (original)
>> +++ httpd/httpd/trunk/docs/manual/mod/core.xml Thu Aug 13 15:33:07 2015
>> @@ -3711,6 +3711,71 @@ Protocol https
>> 
>> 
>> <directivesynopsis>
>> +    <name>Protocols</name>
>> +    <description>Protocols available for a server/virtual host</description>
>> +    <syntax>Protocols <var>protocol</var> ...</syntax>
>> +    <contextlist><context>server config</context><context>virtual
host</context></contextlist>
>> +    <compatibility>Only available from Apache 2.4.17 and later.</compatibility>
>> +
>> +    <usage>
>> +        <p>This directive specifies the list of protocols supported for a
>> +            server/virtual host. The list determines the allowed protocols
>> +            a client may negotiate for this server/host.</p>
>> +
>> +        <p>You only need to set protocols if you want to limit the available
>> +            protocols for a server/host. By default, all supported protocols
>> +            are available to a client.</p>
>> +
>> +        <p>For example, if you want to support only HTTP/1.1 for a server,
even
>> +            though HTTP/2 is available, just specify this protocol only:</p>
>> +
>> +        <highlight language="config">
>> +            Protocols http/1.1
>> +        </highlight>
> 
> It is not clear to me (still, see [1]) why Protocols would default
> like this, and h2 be available for all the vhosts (provided mod_http2
> is loaded) unless the above is configured.
> IOW, I'd prefer "Protocols http/1.1" to be the default (at least for 2.4.x).
> 
> Also, since "http/1.1" is implicit, and ssl_callback_alpn_select() is
> unconditionally registered, we can end up negociating proposing
> "http/1.1" with the client even if is was not asked (and using ALPN
> extensions when not needed).
> Couldn't we instead either not register the callback or return
> SSL_TLSEXT_ERR_NOACK when no protocol is selected (including when no
> Protocols is configured).
> 
> I think POLS suggests that...
> 
> []
>> +</directivesynopsis>
>> +
>> +
>> +<directivesynopsis>
>> +    <name>ProtocolsHonorOrder</name>
>> +    <description>Protocols available for a server/virtual host</description>
>> +    <syntax>ProtocolsHonorOrder On|Off</syntax>
>> +    <default>ProtocolsHonorOrder Off</default>
> 
> Again here I'd suggest "On" by default (eg. SSLHonorCipherOrder is
> quite recommended today, if that's a valid analogy).
> 
> []
>> +</directivesynopsis>
> 
> Regards,
> Yann.
> 
> [1] http://www.mail-archive.com/dev%40httpd.apache.org/msg62160.html

Mime
View raw message