On Thu, Aug 13, 2015 at 5:33 PM, <[email protected]> wrote: > Author: icing > Date: Thu Aug 13 15:33:07 2015 > New Revision: 1695727 > > URL: http://svn.apache.org/r1695727 > Log: > new directive ProtocolsHonorOrder, added documentation for Protocols feature, > changed preference selection and config merging > > Modified: > httpd/httpd/trunk/docs/manual/mod/core.xml [] > > Modified: httpd/httpd/trunk/docs/manual/mod/core.xml > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.xml?rev=1695727&r1=1695726&r2=1695727&view=diff > ============================================================================== > --- httpd/httpd/trunk/docs/manual/mod/core.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/core.xml Thu Aug 13 15:33:07 2015 > @@ -3711,6 +3711,71 @@ Protocol https > > > <directivesynopsis> > + <name>Protocols</name> > + <description>Protocols available for a server/virtual host</description> > + <syntax>Protocols <var>protocol</var> ...</syntax> > + <contextlist><context>server config</context><context>virtual > host</context></contextlist> > + <compatibility>Only available from Apache 2.4.17 and > later.</compatibility> > + > + <usage> > + <p>This directive specifies the list of protocols supported for a > + server/virtual host. The list determines the allowed protocols > + a client may negotiate for this server/host.</p> > + > + <p>You only need to set protocols if you want to limit the available > + protocols for a server/host. By default, all supported protocols > + are available to a client.</p> > + > + <p>For example, if you want to support only HTTP/1.1 for a server, > even > + though HTTP/2 is available, just specify this protocol only:</p> > + > + <highlight language="config"> > + Protocols http/1.1 > + </highlight>
It is not clear to me (still, see [1]) why Protocols would default like this, and h2 be available for all the vhosts (provided mod_http2 is loaded) unless the above is configured. IOW, I'd prefer "Protocols http/1.1" to be the default (at least for 2.4.x). Also, since "http/1.1" is implicit, and ssl_callback_alpn_select() is unconditionally registered, we can end up negociating proposing "http/1.1" with the client even if is was not asked (and using ALPN extensions when not needed). Couldn't we instead either not register the callback or return SSL_TLSEXT_ERR_NOACK when no protocol is selected (including when no Protocols is configured). I think POLS suggests that... [] > +</directivesynopsis> > + > + > +<directivesynopsis> > + <name>ProtocolsHonorOrder</name> > + <description>Protocols available for a server/virtual host</description> > + <syntax>ProtocolsHonorOrder On|Off</syntax> > + <default>ProtocolsHonorOrder Off</default> Again here I'd suggest "On" by default (eg. SSLHonorCipherOrder is quite recommended today, if that's a valid analogy). [] > +</directivesynopsis> Regards, Yann. [1] http://www.mail-archive.com/dev%40httpd.apache.org/msg62160.html
