Return-Path: 
 <dev-return-83693-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B813317F2D
	for <apmail-httpd-dev-archive@www.apache.org>;
 Wed,  2 Sep 2015 17:55:09 +0000 (UTC)
Received: (qmail 23110 invoked by uid 500); 2 Sep 2015 17:55:09 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 23034 invoked by uid 500); 2 Sep 2015 17:55:09 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 23022 invoked by uid 99); 2 Sep 2015 17:55:09 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 02 Sep 2015 17:55:09 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id CC898F0EDE
	for <dev@httpd.apache.org>; Wed,  2 Sep 2015 17:55:08 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: -0.009
X-Spam-Level: 
X-Spam-Status: No, score=-0.009 tagged_above=-999 required=6.31
	tests=[MIME_QP_LONG_LINE=0.001, SPF_PASS=-0.001,
	T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=disabled
Received: from mx1-us-east.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id ufUg2S-GkkvO for <dev@httpd.apache.org>;
	Wed,  2 Sep 2015 17:55:03 +0000 (UTC)
Received: from mail.greenbytes.de (mail.greenbytes.de [217.91.35.233])
	by mx1-us-east.apache.org (ASF Mail Server at mx1-us-east.apache.org) with
 ESMTPS id 8F0BF5070D
	for <dev@httpd.apache.org>; Wed,  2 Sep 2015 17:55:02 +0000 (UTC)
Received: from [192.168.178.55] (unknown [84.150.86.154])
	(using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mail.greenbytes.de (Postfix) with ESMTPSA id 40A2A15A03EC
	for <dev@httpd.apache.org>; Wed,  2 Sep 2015 19:55:00 +0200 (CEST)
From: Stefan Eissing <stefan.eissing@greenbytes.de>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (1.0)
Subject: Re: svn commit: r1695727 - in /httpd/httpd/trunk:
 docs/manual/mod/core.xml include/http_core.h server/core.c server/protocol.c
Message-Id: <96991731-9044-4977-B666-8A46F5B1C281@greenbytes.de>
Date: Wed, 2 Sep 2015 19:54:59 +0200
References: <20150813153307.D0EBEAC0734@hades.apache.org>
 <CAKQ1sVOELXgdt9BJR5qYzXVJEBL6Bdj0p9fox49TraYvFof-xg@mail.gmail.com>
In-Reply-To: 
 <CAKQ1sVOELXgdt9BJR5qYzXVJEBL6Bdj0p9fox49TraYvFof-xg@mail.gmail.com>
To: "dev@httpd.apache.org" <dev@httpd.apache.org>
X-Mailer: iPhone Mail (12H321)

If we want to be more safe, we can change the Protocols default to just http=
/1.1. Also the default for ordering we can change, np.=20

Other opinions?=20

For ALPN, afaik the callback only gets triggered if the client actually send=
s ALPN in its hello. Since "http/1.1" is the only identifier defined in the s=
tandard (for http version < 2), we cannot send any 1.0 or 0.9. And if the cl=
ient does, it's an unidentified thing. ALPN says that the server is free to s=
elect even a protocol not mentioned in the client hello. So sending back "ht=
tp/1.1" in case server/client wishes do not overlap is fine too. Either the c=
lient reconsiders or closes the connection.=20

Legacy clients will not send ALPN, so the whole handshake will work as befor=
e. (modulo bugs)

> Am 02.09.2015 um 18:20 schrieb Yann Ylavic <ylavic.dev@gmail.com>:
>=20
>> On Thu, Aug 13, 2015 at 5:33 PM,  <icing@apache.org> wrote:
>> Author: icing
>> Date: Thu Aug 13 15:33:07 2015
>> New Revision: 1695727
>>=20
>> URL: http://svn.apache.org/r1695727
>> Log:
>> new directive ProtocolsHonorOrder, added documentation for Protocols feat=
ure, changed preference selection and config merging
>>=20
>> Modified:
>>    httpd/httpd/trunk/docs/manual/mod/core.xml
> []
>>=20
>> Modified: httpd/httpd/trunk/docs/manual/mod/core.xml
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.=
xml?rev=3D1695727&r1=3D1695726&r2=3D1695727&view=3Ddiff
>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D
>> --- httpd/httpd/trunk/docs/manual/mod/core.xml (original)
>> +++ httpd/httpd/trunk/docs/manual/mod/core.xml Thu Aug 13 15:33:07 2015
>> @@ -3711,6 +3711,71 @@ Protocol https
>>=20
>>=20
>> <directivesynopsis>
>> +    <name>Protocols</name>
>> +    <description>Protocols available for a server/virtual host</descript=
ion>
>> +    <syntax>Protocols <var>protocol</var> ...</syntax>
>> +    <contextlist><context>server config</context><context>virtual host</=
context></contextlist>
>> +    <compatibility>Only available from Apache 2.4.17 and later.</compati=
bility>
>> +
>> +    <usage>
>> +        <p>This directive specifies the list of protocols supported for a=

>> +            server/virtual host. The list determines the allowed protoco=
ls
>> +            a client may negotiate for this server/host.</p>
>> +
>> +        <p>You only need to set protocols if you want to limit the avail=
able
>> +            protocols for a server/host. By default, all supported proto=
cols
>> +            are available to a client.</p>
>> +
>> +        <p>For example, if you want to support only HTTP/1.1 for a serve=
r, even
>> +            though HTTP/2 is available, just specify this protocol only:=
</p>
>> +
>> +        <highlight language=3D"config">
>> +            Protocols http/1.1
>> +        </highlight>
>=20
> It is not clear to me (still, see [1]) why Protocols would default
> like this, and h2 be available for all the vhosts (provided mod_http2
> is loaded) unless the above is configured.
> IOW, I'd prefer "Protocols http/1.1" to be the default (at least for 2.4.x=
).
>=20
> Also, since "http/1.1" is implicit, and ssl_callback_alpn_select() is
> unconditionally registered, we can end up negociating proposing
> "http/1.1" with the client even if is was not asked (and using ALPN
> extensions when not needed).
> Couldn't we instead either not register the callback or return
> SSL_TLSEXT_ERR_NOACK when no protocol is selected (including when no
> Protocols is configured).
>=20
> I think POLS suggests that...
>=20
> []
>> +</directivesynopsis>
>> +
>> +
>> +<directivesynopsis>
>> +    <name>ProtocolsHonorOrder</name>
>> +    <description>Protocols available for a server/virtual host</descript=
ion>
>> +    <syntax>ProtocolsHonorOrder On|Off</syntax>
>> +    <default>ProtocolsHonorOrder Off</default>
>=20
> Again here I'd suggest "On" by default (eg. SSLHonorCipherOrder is
> quite recommended today, if that's a valid analogy).
>=20
> []
>> +</directivesynopsis>
>=20
> Regards,
> Yann.
>=20
> [1] http://www.mail-archive.com/dev%40httpd.apache.org/msg62160.html