> Am 28.08.2015 um 10:32 schrieb Ruediger Pluem <[email protected]>: > On 08/28/2015 09:32 AM, Stefan Eissing wrote: >> >>> Am 28.08.2015 um 03:37 schrieb Roy T. Fielding <[email protected]>: >>>> + if (r->connection->keepalives > 0) { >>>> + return HTTP_MISDIRECTED_REQUEST; >>>> + } >>>> return HTTP_BAD_REQUEST; >>>> } >>>> } >>>> >>> IIRC, it is applicable to HTTP/1.1 as well. Think misdirected requests >>> containing >>> an absolute request URI that points to some other server. I don't think >>> the conditional >>> is needed at all -- just return HTTP_MISDIRECTED_REQUEST. >> >> Thanks for clarifying this. >> >>> Hmm, I wonder how this impacts Google's desire to allow multiple hosts to >>> reuse >>> the same SPDY connection ... was that dropped for h2? >> >> It wasn't. Our implementation currently just goes the easy way. It needs to >> check that server/vhost from request and SNI indeed use the same certificate >> and if not, maybe even if altnames/wildcards match. But I am not sure that >> is a good idea. > > The issue is a little bit more complex. You need to ensure that the > server/vhost from the request is using the same SSL > parameters as the SNI host like protocols, ciphers, etc. Otherwise you would > need to renegotiate. And as far as I > remember some parameters are not renegotiable. See comments above this code.
Hmm, I see. Since you know this more intimate than me: is checking the mod_ssl config of both for equality of certain members the way to solve this? It should either have the individual settings or the merged ones from the base server, right? //Stefan <green/>bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
