Just an update on this topic: We currently allow only connection reuse for the server/vhost that was selected by the SNI, thanks to the patch by Yann.
However, the problem is deeper than I originally thought: SSL renegotiation is forbidden in HTTP/2, exactly due to concurrency issues. There is a debate currently on the http-wg mailing list, what to do about it, especially for sites that use client certificates. As Apache httpd, we can at the moment only advise server administrators to not enable HTTP/2 for servers/vhosts that make use of renegotiations. We should probably log an error when ap_get_protocol() != "http/1.1", when renegotiation is attempted. Anyone know the best place to put that? ssl_hook_Access() seems the renegotiation monster. Not sure if I want to stick my fingers in there. But this seems to be the place to check the protocol and make a log error (at least)? Or do we make a connection_param_renegotiate hook that can stop renegotiation and set the proper response on the request? //Stefan <green/>bytes GmbH Hafenweg 16, 48155 Münster, Germany Phone: +49 251 2807760. Amtsgericht Münster: HRB5782
