If we want to be more safe, we can change the Protocols default to just http/1.1. Also the default for ordering we can change, np.
Other opinions? For ALPN, afaik the callback only gets triggered if the client actually sends ALPN in its hello. Since "http/1.1" is the only identifier defined in the standard (for http version < 2), we cannot send any 1.0 or 0.9. And if the client does, it's an unidentified thing. ALPN says that the server is free to select even a protocol not mentioned in the client hello. So sending back "http/1.1" in case server/client wishes do not overlap is fine too. Either the client reconsiders or closes the connection. Legacy clients will not send ALPN, so the whole handshake will work as before. (modulo bugs) > Am 02.09.2015 um 18:20 schrieb Yann Ylavic <[email protected]>: > >> On Thu, Aug 13, 2015 at 5:33 PM, <[email protected]> wrote: >> Author: icing >> Date: Thu Aug 13 15:33:07 2015 >> New Revision: 1695727 >> >> URL: http://svn.apache.org/r1695727 >> Log: >> new directive ProtocolsHonorOrder, added documentation for Protocols >> feature, changed preference selection and config merging >> >> Modified: >> httpd/httpd/trunk/docs/manual/mod/core.xml > [] >> >> Modified: httpd/httpd/trunk/docs/manual/mod/core.xml >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.xml?rev=1695727&r1=1695726&r2=1695727&view=diff >> ============================================================================== >> --- httpd/httpd/trunk/docs/manual/mod/core.xml (original) >> +++ httpd/httpd/trunk/docs/manual/mod/core.xml Thu Aug 13 15:33:07 2015 >> @@ -3711,6 +3711,71 @@ Protocol https >> >> >> <directivesynopsis> >> + <name>Protocols</name> >> + <description>Protocols available for a server/virtual host</description> >> + <syntax>Protocols <var>protocol</var> ...</syntax> >> + <contextlist><context>server config</context><context>virtual >> host</context></contextlist> >> + <compatibility>Only available from Apache 2.4.17 and >> later.</compatibility> >> + >> + <usage> >> + <p>This directive specifies the list of protocols supported for a >> + server/virtual host. The list determines the allowed protocols >> + a client may negotiate for this server/host.</p> >> + >> + <p>You only need to set protocols if you want to limit the available >> + protocols for a server/host. By default, all supported protocols >> + are available to a client.</p> >> + >> + <p>For example, if you want to support only HTTP/1.1 for a server, >> even >> + though HTTP/2 is available, just specify this protocol only:</p> >> + >> + <highlight language="config"> >> + Protocols http/1.1 >> + </highlight> > > It is not clear to me (still, see [1]) why Protocols would default > like this, and h2 be available for all the vhosts (provided mod_http2 > is loaded) unless the above is configured. > IOW, I'd prefer "Protocols http/1.1" to be the default (at least for 2.4.x). > > Also, since "http/1.1" is implicit, and ssl_callback_alpn_select() is > unconditionally registered, we can end up negociating proposing > "http/1.1" with the client even if is was not asked (and using ALPN > extensions when not needed). > Couldn't we instead either not register the callback or return > SSL_TLSEXT_ERR_NOACK when no protocol is selected (including when no > Protocols is configured). > > I think POLS suggests that... > > [] >> +</directivesynopsis> >> + >> + >> +<directivesynopsis> >> + <name>ProtocolsHonorOrder</name> >> + <description>Protocols available for a server/virtual host</description> >> + <syntax>ProtocolsHonorOrder On|Off</syntax> >> + <default>ProtocolsHonorOrder Off</default> > > Again here I'd suggest "On" by default (eg. SSLHonorCipherOrder is > quite recommended today, if that's a valid analogy). > > [] >> +</directivesynopsis> > > Regards, > Yann. > > [1] http://www.mail-archive.com/dev%40httpd.apache.org/msg62160.html
