On Wed, Sep 2, 2015 at 7:54 PM, Stefan Eissing <[email protected]> wrote: > If we want to be more safe, we can change the Protocols default to just > http/1.1. Also the default for ordering we can change, np. > > Other opinions?
Thanks, LGTM (though I like the idea of ap_select_protocol() returning a different value whether the client proposed "http/1.1" or not - NULL?) . > > For ALPN, afaik the callback only gets triggered if the client actually sends > ALPN in its hello. Since "http/1.1" is the only identifier defined in the > standard (for http version < 2), we cannot send any 1.0 or 0.9. And if the > client does, it's an unidentified thing. ALPN says that the server is free to > select even a protocol not mentioned in the client hello. So sending back > "http/1.1" in case server/client wishes do not overlap is fine too. Either > the client reconsiders or closes the connection. Doesn't the server have the (optional) ability to enforce Protocols (close/alert by itself)? > > Legacy clients will not send ALPN, so the whole handshake will work as > before. (modulo bugs) Agreed.
