Hello,
On Sun, 2 Sep 2018 at 17:24, Willy Tarreau <[email protected]> wrote: > > Hi Lukas, > > On Sun, Sep 02, 2018 at 11:55:29AM +0200, Lukas Tribus wrote: > > Ok. I think with OpenSSL 1.1.1 we may be able to configure ALPN > > differently for RSA vs ECC certificates (of the same hostname), so by > > not enabling h2 on RSA certificates, we basically disable H2 for > > Chrome on Windows XP (Chrome using Microsoft's schannel supporting > > only RSA on XP). Chrome on Windows Vista would still be broken (as > > schannel on Vista supports ECC certificates), but the market share of > > Vista is probably negligible. This should help those that cannot break > > this unsupported browser/OS combination and still want to use H2. It's > > just a theory though at the moment, I need to test it. > > I like the idea very much! That's indeed something that could be > interesting to study. I even think there's nothing about it that > cannot be done with 1.0.2, it would deserve a test! I tried it and it works fine, crt-list looking like this: /etc/private/ssl/sitecert-rsa.pem [alpn http/1.1] /etc/private/ssl/sitecert-ecc.pem [alpn h2,http/1.1] However, openssl 1.1.1 (or boringssl) is required for this, also see commit 84e417d85934 ("MINOR: ssl: support Openssl 1.1.1 early callback for switchctx"). I doubt this can be done with older openssl. Regards, Lukas
