Re: master connection + mod_ssl + http2

2015-10-23 Thread Jim Jagielski 

> On Oct 21, 2015, at 10:25 AM, Graham Leggett  wrote:
> 
> On 21 Oct 2015, at 2:42 PM, Stefan Eissing  
> wrote:
> 
>> The basic changes:
>> 1. conn_rec->master is NULL for HTTP/1.1 connections, but points to the 
>> "real" connection for HTTP/2 requests.
>> 2. mod_ssl no longer initalizes any SSLConnRec* for slave connections 
>> (conn_rec->master != NULL)
>> 3. lookup of ssl variables uses the master's sslconn->ssl if none is found 
>> on the connection itself
>> 4. ssl_hook_Access() that checks renegotiation fails with a FORBIDDEN for a 
>> slave connection with a note for the reason.
>>  This should allow mod_http2 to generate the correct HTTP/2 stream error
>> 5. ssl_hook_ReadReq() that checks for wrong host names now has an additional 
>> check for TLS compatiblity which compares
>>  protocol, cipher suite, certificate and key file/path names and verify mode 
>> of the request server against the
>>  handshake server. This compatibility is strict equality and not as 
>> sophisticated as the renegotiation checks.
>> 
>> With these changes, mod_http2 has less work for the slave connection setup 
>> and no longer needs to disable ssl for those. While mod_ssl continues to be 
>> ignorant of mod_http2, as the same restrictions would apply to any protocol 
>> with slave connections. With a minor bump in MMN we can have this in the 
>> next 2.4.
> 
> Not having looked at the patch yet, the above seems to make sense.
> 

Sorry for the lateness:

+1

Re: master connection + mod_ssl + http2

2015-10-21 Thread Graham Leggett 
On 21 Oct 2015, at 2:42 PM, Stefan Eissing  wrote:

> The basic changes:
> 1. conn_rec->master is NULL for HTTP/1.1 connections, but points to the 
> "real" connection for HTTP/2 requests.
> 2. mod_ssl no longer initalizes any SSLConnRec* for slave connections 
> (conn_rec->master != NULL)
> 3. lookup of ssl variables uses the master's sslconn->ssl if none is found on 
> the connection itself
> 4. ssl_hook_Access() that checks renegotiation fails with a FORBIDDEN for a 
> slave connection with a note for the reason.
>   This should allow mod_http2 to generate the correct HTTP/2 stream error
> 5. ssl_hook_ReadReq() that checks for wrong host names now has an additional 
> check for TLS compatiblity which compares
>   protocol, cipher suite, certificate and key file/path names and verify mode 
> of the request server against the
>   handshake server. This compatibility is strict equality and not as 
> sophisticated as the renegotiation checks.
> 
> With these changes, mod_http2 has less work for the slave connection setup 
> and no longer needs to disable ssl for those. While mod_ssl continues to be 
> ignorant of mod_http2, as the same restrictions would apply to any protocol 
> with slave connections. With a minor bump in MMN we can have this in the next 
> 2.4.

Not having looked at the patch yet, the above seems to make sense.

Regards,
Graham
—

Re: master connection + mod_ssl + http2

2015-10-21 Thread Yann Ylavic 
Hi Stefan,

On Wed, Oct 21, 2015 at 2:42 PM, Stefan Eissing
 wrote:
> Played around with the concept of master connections today.
>
> I attached a patch that - I think - goes in the right direction.

Didn't look at all the details yet but it looks good to me.

One (aside) point, you should probably separate h2 changes from mod_ssl ones.
The former are CTR, but we'll still need a vote for the latter...
I think it also concers a couple of commits you did lately, even
though changes to both modules are related, it will probably ease
backport to commit them separetly.

>
> The basic changes:
[]
> 5. ssl_hook_ReadReq() that checks for wrong host names now has an additional 
> check for TLS compatiblity which compares
>protocol, cipher suite, certificate and key file/path names and verify 
> mode of the request server against the
>handshake server. This compatibility is strict equality and not as 
> sophisticated as the renegotiation checks.

Thanks, we needed that!
It seems however that there are doublons with the checks done in
ssl_hook_Access().
I'm not sure whether this can be expensive, but maybe we could do that
at one single place?
Also the check on the cipher suite looks more tolerent there, it may
be enough to check that the negociated cipher is in the new vhost's
list.

Didn't look at the other points, yet ;)

Regards,
Yann.

master connection + mod_ssl + http2

2015-10-21 Thread Stefan Eissing 
Played around with the concept of master connections today.

I attached a patch that - I think - goes in the right direction. But others 
know mod_ssl better than me. Feedback welcome!

The basic changes:
1. conn_rec->master is NULL for HTTP/1.1 connections, but points to the "real" 
connection for HTTP/2 requests.
2. mod_ssl no longer initalizes any SSLConnRec* for slave connections 
(conn_rec->master != NULL)
3. lookup of ssl variables uses the master's sslconn->ssl if none is found on 
the connection itself
4. ssl_hook_Access() that checks renegotiation fails with a FORBIDDEN for a 
slave connection with a note for the reason.
   This should allow mod_http2 to generate the correct HTTP/2 stream error
5. ssl_hook_ReadReq() that checks for wrong host names now has an additional 
check for TLS compatiblity which compares
   protocol, cipher suite, certificate and key file/path names and verify mode 
of the request server against the
   handshake server. This compatibility is strict equality and not as 
sophisticated as the renegotiation checks.

With these changes, mod_http2 has less work for the slave connection setup and 
no longer needs to disable ssl for those. While mod_ssl continues to be 
ignorant of mod_http2, as the same restrictions would apply to any protocol 
with slave connections. With a minor bump in MMN we can have this in the next 
2.4.

//Stefan

PS. There are more changes needed for mod_http2 as are in the patch. I did not 
want to make this too messy. The ssl changes are the relevant one...


ssl-master-conn.patch
Description: Binary data