httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <>
Subject Re: master connection + mod_ssl + http2
Date Wed, 21 Oct 2015 14:25:00 GMT
On 21 Oct 2015, at 2:42 PM, Stefan Eissing <> wrote:

> The basic changes:
> 1. conn_rec->master is NULL for HTTP/1.1 connections, but points to the "real" connection
for HTTP/2 requests.
> 2. mod_ssl no longer initalizes any SSLConnRec* for slave connections (conn_rec->master
!= NULL)
> 3. lookup of ssl variables uses the master's sslconn->ssl if none is found on the
connection itself
> 4. ssl_hook_Access() that checks renegotiation fails with a FORBIDDEN for a slave connection
with a note for the reason.
>   This should allow mod_http2 to generate the correct HTTP/2 stream error
> 5. ssl_hook_ReadReq() that checks for wrong host names now has an additional check for
TLS compatiblity which compares
>   protocol, cipher suite, certificate and key file/path names and verify mode of the
request server against the
>   handshake server. This compatibility is strict equality and not as sophisticated as
the renegotiation checks.
> With these changes, mod_http2 has less work for the slave connection setup and no longer
needs to disable ssl for those. While mod_ssl continues to be ignorant of mod_http2, as the
same restrictions would apply to any protocol with slave connections. With a minor bump in
MMN we can have this in the next 2.4.

Not having looked at the patch yet, the above seems to make sense.


View raw message