> On Jun 9, 2015, at 3:42 AM, Yann Ylavic <[email protected]> wrote: > > It just needed to get out :) > > But I agree that since we are to implement the RFC, we must comply, > and find a way to still comply with HTTP/1. > Both checks on SNI and renegotiation occur in the post_read_request > hook, so we should be able to deal with vhost's parameters (configured > Protocols, ProtocolTransports...), and do the right thing. > > On Tue, Jun 9, 2015 at 12:09 PM, Stefan Eissing > <[email protected]> wrote: >> Yann, I am with you and feel at least unease about this mixing. >> >> But the RFC has been approved and browsers will adhere to it. So if we do >> not enforce some policies in the server, connections will fail for >> mysterious reasons. And tickets will be raised...
Well, don't be too hasty. There are a number of requirements in the RFC that have nothing to do with HTTP and should be summarily ignored in the core implementation. There are other requirements in the RFC that might turn out to be wrong or unnecessary, just as we found in RFC2068, and it is our task to implement what works and change the RFCs later. However, the server as a whole should be configurable to be compliant (by default) in the relevant code. All of the requirements around TLS, for example, need to be available in the SSL configs, but it is not h2's responsibility to ensure that it has an RFC7540-compliant TLS config. That is the admin's responsibility/choice. WRT renegotiation, it is fair to say that the WG punted on the idea due to lack of time. If someone figures out a way to safely renegotiate an h2 connection (and all of its streams), then go ahead and implement it, describe it in an I-D, and submit it to the httpbis WG. There is nothing wrong with Apache leading by example. Cheers, ....Roy
