— Thierry Fournier Web Performance & Security Expert m: +33 6 68 69 21 85 | e: [email protected] w: http://www.ozon.io/ | b: http://blog.ozon.io/
> On 17 Sep 2018, at 12:45, Emmanuel Hocdet <[email protected]> wrote: > > > Hi Thierry, > >> Le 15 sept. 2018 à 18:06, Thierry Fournier <[email protected] >> <mailto:[email protected]>> a écrit : >> >> Hi, >> >> I tried to use per-context options, in order to enable HTTP2 for a short >> list of SNI. I just add lines like this: >> >> /certif1.pem [alpn h2,http/1.1] my-h2-host.com <http://my-h2-host.com/> >> /certif2.pem my-other-host.com <http://my-other-host.com/> >> >> This configuration works fine on debian 8 with OpenSSL 1.0.2g, and doesn’t >> work on Ubuntu 16.04 with OpenSSL 1.0.2l. >> >> I compile the OpenSSL debian package 1.0.2g on Ubuntu, and the feature is >> enabled. >> >> My conclusion, is that some version of OpenSSL doesn’t support all >> per-context >> options. >> >> Do you have an opinion ? >> > > Are you sure it's not the opposite: doesn't work with 1.0.2g? > > "Major changes between OpenSSL 1.0.2g and OpenSSL 1.0.2h [3 May 2016] > > Modify behavior of ALPN to invoke callback after SNI/servername callback, > such that updates to the SSL_CTX affect ALPN. » > Sorry, I mix versions. The following is the reality: OpenSSL 1.0.2l 25 May 2017 => works OpenSSL 1.0.2g 1 Mar 2016 => doesn’t work. The change explain the observed behavior ! br, Thierry
