On 08/28/2015 09:32 AM, Stefan Eissing wrote: > >> Am 28.08.2015 um 03:37 schrieb Roy T. Fielding <field...@gbiv.com>: >>> + if (r->connection->keepalives > 0) { >>> + return HTTP_MISDIRECTED_REQUEST; >>> + } >>> return HTTP_BAD_REQUEST; >>> } >>> } >>> >> IIRC, it is applicable to HTTP/1.1 as well. Think misdirected requests >> containing >> an absolute request URI that points to some other server. I don't think the >> conditional >> is needed at all -- just return HTTP_MISDIRECTED_REQUEST. > > Thanks for clarifying this. > >> Hmm, I wonder how this impacts Google's desire to allow multiple hosts to >> reuse >> the same SPDY connection ... was that dropped for h2? > > It wasn't. Our implementation currently just goes the easy way. It needs to > check that server/vhost from request and SNI indeed use the same certificate > and if not, maybe even if altnames/wildcards match. But I am not sure that is > a good idea.
The issue is a little bit more complex. You need to ensure that the server/vhost from the request is using the same SSL parameters as the SNI host like protocols, ciphers, etc. Otherwise you would need to renegotiate. And as far as I remember some parameters are not renegotiable. See comments above this code. Regards Rüdiger