On 08/28/2015 10:35 AM, Stefan Eissing wrote: > >> Am 28.08.2015 um 10:32 schrieb Ruediger Pluem <[email protected]>: >> On 08/28/2015 09:32 AM, Stefan Eissing wrote: >>> >>>> Am 28.08.2015 um 03:37 schrieb Roy T. Fielding <[email protected]>: >>>>> + if (r->connection->keepalives > 0) { >>>>> + return HTTP_MISDIRECTED_REQUEST; >>>>> + } >>>>> return HTTP_BAD_REQUEST; >>>>> } >>>>> } >>>>> >>>> IIRC, it is applicable to HTTP/1.1 as well. Think misdirected requests >>>> containing >>>> an absolute request URI that points to some other server. I don't think >>>> the conditional >>>> is needed at all -- just return HTTP_MISDIRECTED_REQUEST. >>> >>> Thanks for clarifying this. >>> >>>> Hmm, I wonder how this impacts Google's desire to allow multiple hosts to >>>> reuse >>>> the same SPDY connection ... was that dropped for h2? >>> >>> It wasn't. Our implementation currently just goes the easy way. It needs to >>> check that server/vhost from request and SNI indeed use the same >>> certificate and if not, maybe even if altnames/wildcards match. But I am >>> not sure that is a good idea. >> >> The issue is a little bit more complex. You need to ensure that the >> server/vhost from the request is using the same SSL >> parameters as the SNI host like protocols, ciphers, etc. Otherwise you would >> need to renegotiate. And as far as I >> remember some parameters are not renegotiable. See comments above this code. > > Hmm, I see. Since you know this more intimate than me: is checking the > mod_ssl config of both for equality of certain members the way to solve this? > It should either have the individual settings or the merged ones from the > base server, right?
Interesting approach. I hope our SSL experts will chime in :-). And yes the configs should have the individual settings or the merged ones from the base server which could be the default values. Regards Rüdiger > > >
