On 08/28/2015 09:32 AM, Stefan Eissing wrote:
>
>> Am 28.08.2015 um 03:37 schrieb Roy T. Fielding <field...@gbiv.com>:
>>> + if (r->connection->keepalives > 0) {
>>> + return HTTP_MISDIRECTED_REQUEST;
>>> + }
>>> return HTTP_BAD_REQUEST;
>>> }
>>> }
>>>
>> IIRC, it is applicable to HTTP/1.1 as well. Think misdirected requests
>> containing
>> an absolute request URI that points to some other server. I don't think the
>> conditional
>> is needed at all -- just return HTTP_MISDIRECTED_REQUEST.
>
> Thanks for clarifying this.
>
>> Hmm, I wonder how this impacts Google's desire to allow multiple hosts to
>> reuse
>> the same SPDY connection ... was that dropped for h2?
>
> It wasn't. Our implementation currently just goes the easy way. It needs to
> check that server/vhost from request and SNI indeed use the same certificate
> and if not, maybe even if altnames/wildcards match. But I am not sure that is
> a good idea.
The issue is a little bit more complex. You need to ensure that the
server/vhost from the request is using the same SSL
parameters as the SNI host like protocols, ciphers, etc. Otherwise you would
need to renegotiate. And as far as I
remember some parameters are not renegotiable. See comments above this code.
Regards
Rüdiger
