Can we really do ALPN per vhost?
If this is handled before or at the same time as SNI, then SSLAlpnEnable is
eventually applied per listening address, while H2Engine would make sense even
for multiple hosts at the same ip.
I would say returning some error is a valid response for not enabling H2Engine
on a VHost, while still handling ALPN when explicitly disabled is not.
Bert
From: Stefan Eissing [mailto:[email protected]]
Sent: woensdag 3 juni 2015 22:20
To: [email protected]
Subject: Re: ALPN patch comments
That is why mod_h2 allowe "H2Engine on|off" on base server and vhosts. If I
understand you correctly, this does what you ask for.
//Stefan
Am 03.06.2015 um 19:45 schrieb William A Rowe Jr <[email protected]
<mailto:[email protected]> >:
On Wed, Jun 3, 2015 at 8:43 AM, Stefan Eissing <[email protected]
<mailto:[email protected]> > wrote:
Hmm, personally, I do not like redundant configurations. If someone configures
a module, like mod_h2, to be enabled (H2Engine on), she could expect the module
to take all the necessary steps. So I am no fan of a „SSLAlpnEnable“.
The reason boils down to vhosts and interop. If someone does not wish
for a specific vhost (perhaps interacting with bad clients, or created for
backwards compatibility) to respond with a feature, it is useful to have
a fine-grained toggle. The default -could- be 'enabled', although this
probably should not happen on the stable/maintenance branches, but
simply on the future release branch, to avoid surprises.
OpenSSL does the wrong thing in some cases with respect to TLS/SNI
and my current patch development - in some respect - is backing out
that callback change for customers who have been burned by this
specific nonsense. You should reconsider absolutist behaviors,
because they make it much harder for people to inject 'experimental'
behaviors into specific hosts.
