On 21 Oct 2015, at 2:42 PM, Stefan Eissing <[email protected]> wrote:
> The basic changes: > 1. conn_rec->master is NULL for HTTP/1.1 connections, but points to the > "real" connection for HTTP/2 requests. > 2. mod_ssl no longer initalizes any SSLConnRec* for slave connections > (conn_rec->master != NULL) > 3. lookup of ssl variables uses the master's sslconn->ssl if none is found on > the connection itself > 4. ssl_hook_Access() that checks renegotiation fails with a FORBIDDEN for a > slave connection with a note for the reason. > This should allow mod_http2 to generate the correct HTTP/2 stream error > 5. ssl_hook_ReadReq() that checks for wrong host names now has an additional > check for TLS compatiblity which compares > protocol, cipher suite, certificate and key file/path names and verify mode > of the request server against the > handshake server. This compatibility is strict equality and not as > sophisticated as the renegotiation checks. > > With these changes, mod_http2 has less work for the slave connection setup > and no longer needs to disable ssl for those. While mod_ssl continues to be > ignorant of mod_http2, as the same restrictions would apply to any protocol > with slave connections. With a minor bump in MMN we can have this in the next > 2.4. Not having looked at the patch yet, the above seems to make sense. Regards, Graham —
