httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ronald Masaya <ronaldmasaya...@gmail.com>
Subject Re: HTTP_MISDIRECTED_REQUEST
Date Tue, 01 Sep 2015 08:07:52 GMT
Adobotalk.com  youtube.com

ronaldmasayarm
On Aug 31, 2015 5:48 PM, "Stefan Eissing" <stefan.eissing@greenbytes.de>
wrote:

>
> > Am 28.08.2015 um 15:49 schrieb Eric Covener <covener@gmail.com>:
> >
> > On Fri, Aug 28, 2015 at 9:26 AM, Stefan Eissing
> > <stefan.eissing@greenbytes.de> wrote:
> >> If this works, one could think about introducing some kind of
> "equivalence number" to speed up the checking, since in certain HTTP/2
> setups there might be a good percentage of requests requiting this
> verification.
> >
> > Long term we need to block these name-based renegotiations because
> > we'll be at TLS1.3.  I don't know how to ween people off, but making
> > up an H2 requirement might be one way to ease people into it.
>
> I am not the expert on TLS renegotiation, I am just aware that certain TLS
> parameters can be changed on an existing connection if both parties agree.
> And I am aware that this has been used in attacks and the feature seems to
> be frowned upon nowadays.
>
> I see mod_ssl code that checks for renegotiations based on directory
> configurations, so it is request based. And it will fail miserably in
> HTTP/2 connections as there is no longer *the one current* request on a
> connection.
>
> What would be the most common scenarios for TLS renegotiation be that we
> should users warn about when enabling HTTP/2? Is requiting a client cert a
> common use here?
>
> //Stefan
>
> <green/>bytes GmbH
> Hafenweg 16, 48155 Münster, Germany
> Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
>
>
>
>

Mime
View raw message