Added in r1701005. > Am 03.09.2015 um 11:49 schrieb Yann Ylavic <[email protected]>: > > On Wed, Sep 2, 2015 at 7:54 PM, Stefan Eissing > <[email protected]> wrote: >> If we want to be more safe, we can change the Protocols default to just >> http/1.1. Also the default for ordering we can change, np. >> >> Other opinions? > > Thanks, LGTM (though I like the idea of ap_select_protocol() returning > a different value whether the client proposed "http/1.1" or not - > NULL?) . > >> >> For ALPN, afaik the callback only gets triggered if the client actually >> sends ALPN in its hello. Since "http/1.1" is the only identifier defined in >> the standard (for http version < 2), we cannot send any 1.0 or 0.9. And if >> the client does, it's an unidentified thing. ALPN says that the server is >> free to select even a protocol not mentioned in the client hello. So sending >> back "http/1.1" in case server/client wishes do not overlap is fine too. >> Either the client reconsiders or closes the connection. > > Doesn't the server have the (optional) ability to enforce Protocols > (close/alert by itself)? > >> >> Legacy clients will not send ALPN, so the whole handshake will work as >> before. (modulo bugs) > > Agreed.
<green/>bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
