Re: sni+alpn, vhost+certs

2015-06-18 Thread Stefan Eissing
I have a patch for this now, but discovered that mod_h2 needs some more: In the ALPN propose callback, the module needs to know which vhost the connection is about. And not only that, it needs the server_rec of that to check its config. If the module is disabled in that vhost, it should not

Re: sni+alpn, vhost+certs

2015-06-18 Thread Yann Ylavic
On Thu, Jun 18, 2015 at 11:07 AM, Stefan Eissing stefan.eiss...@greenbytes.de wrote: It retrieves SNI servername via ssl_var_lookup, creates a fake request_rec incokes ap_update_vhost_from_headers(). Not very elegant. a) is there another way? Maybe define a new ap_get_vhost_from_name() and

sni+alpn, vhost+certs

2015-06-17 Thread Stefan Eissing
Seems like a good idea to not place the ALPN patches into 2.4 - yet. During my tests, I discovered that the order of my vhost definitions affected the certificate chosen - when ALPN was in play. After some analysis, the following seems to occur. This is to make the mod_ssl people here aware and

Re: sni+alpn, vhost+certs

2015-06-17 Thread Eric Covener
On Wed, Jun 17, 2015 at 8:21 AM, Stefan Eissing stefan.eiss...@greenbytes.de wrote: 1. connection, setup for base server and defaults 2. client hello arrives 3. ALPN callback is invoked by openssl 4. ALPN protocol is chosen, this triggers the server answer 5. SNI callback is invoked by