Re: svn commit: r1708593 - in /httpd/httpd/trunk: docs/manual/mod/mod_http2.xml modules/http2/h2_config.c modules/http2/h2_config.h modules/http2/h2_conn.c modules/http2/h2_h2.c modules/http2/h2_h2.h
Can you please choose a more specific directive name? Like "LimitTLSunderH2". We don't have switches for RFC compliance. We do have switches for stupid WG political positions that contradict common sense and are not applicable to non-Internet deployments. Roy > On Oct 14, 2015, at 5:10 AM, ic...@apache.org wrote: > > Author: icing > Date: Wed Oct 14 12:10:11 2015 > New Revision: 1708593 > > URL: http://svn.apache.org/viewvc?rev=1708593=rev > Log: > mod_http2: new directive H2Compliance on/off, checking TLS protocol and > cipher against RFC7540 > > Modified: >httpd/httpd/trunk/docs/manual/mod/mod_http2.xml >httpd/httpd/trunk/modules/http2/h2_config.c >httpd/httpd/trunk/modules/http2/h2_config.h >httpd/httpd/trunk/modules/http2/h2_conn.c >httpd/httpd/trunk/modules/http2/h2_h2.c >httpd/httpd/trunk/modules/http2/h2_h2.h >httpd/httpd/trunk/modules/http2/h2_switch.c > > Modified: httpd/httpd/trunk/docs/manual/mod/mod_http2.xml > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_http2.xml?rev=1708593=1708592=1708593=diff > == > --- httpd/httpd/trunk/docs/manual/mod/mod_http2.xml (original) > +++ httpd/httpd/trunk/docs/manual/mod/mod_http2.xml Wed Oct 14 12:10:11 2015 > @@ -74,11 +74,11 @@ > Direct communication means that if the first bytes received > by the > server on a connection match the HTTP/2 preamble, the HTTP/2 > protocol is switched to immediately without further > negotiation. > -This mode falls outside the RFC 7540 but has become widely > implemented > -on cleartext ports as it is very convenient for development > and testing. > +This mode is defined in RFC 7540 for the cleartext (h2c) > case. Its > +use on TLS connections is not allowed by the standard. > > > -Since this detection implies that the client will send data > on > +Since this detection requires that the client will send data > on > new connection immediately, direct HTTP/2 mode is disabled by > default. > > > Modified: httpd/httpd/trunk/modules/http2/h2_config.c > URL: > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_config.c?rev=1708593=1708592=1708593=diff > == > --- httpd/httpd/trunk/modules/http2/h2_config.c (original) > +++ httpd/httpd/trunk/modules/http2/h2_config.c Wed Oct 14 12:10:11 2015 > @@ -49,6 +49,7 @@ static h2_config defconf = { > 0,/* serialize headers */ > 0,/* h2 direct mode */ > -1, /* # session extra files */ > +1,/* rfc 7540 compliance */ > }; > > static int files_per_session = 0; > @@ -100,6 +101,7 @@ static void *h2_config_create(apr_pool_t > conf->serialize_headers= DEF_VAL; > conf->h2_direct= DEF_VAL; > conf->session_extra_files = DEF_VAL; > +conf->rfc_compliance = DEF_VAL; > return conf; > } > > @@ -138,6 +140,7 @@ void *h2_config_merge(apr_pool_t *pool, > n->serialize_headers = H2_CONFIG_GET(add, base, serialize_headers); > n->h2_direct = H2_CONFIG_GET(add, base, h2_direct); > n->session_extra_files = H2_CONFIG_GET(add, base, session_extra_files); > +n->rfc_compliance = H2_CONFIG_GET(add, base, rfc_compliance); > > return n; > } > @@ -162,6 +165,8 @@ int h2_config_geti(h2_config *conf, h2_c > return H2_CONFIG_GET(conf, , alt_svc_max_age); > case H2_CONF_SER_HEADERS: > return H2_CONFIG_GET(conf, , serialize_headers); > +case H2_CONF_COMPLIANCE: > +return H2_CONFIG_GET(conf, , rfc_compliance); > case H2_CONF_DIRECT: > return H2_CONFIG_GET(conf, , h2_direct); > case H2_CONF_SESSION_FILES: > @@ -332,8 +337,25 @@ static const char *h2_conf_set_direct(cm > return "value must be On or Off"; > } > > -#define AP_END_CMD AP_INIT_TAKE1(NULL, NULL, NULL, RSRC_CONF, NULL) > +static const char *h2_conf_set_compliance(cmd_parms *parms, > + void *arg, const char *value) > +{ > +h2_config *cfg = h2_config_sget(parms->server); > +if (!strcasecmp(value, "On")) { > +cfg->rfc_compliance = 1; > +return NULL; > +} > +else if (!strcasecmp(value, "Off")) { > +cfg->rfc_compliance = 0; > +return NULL; > +} > + > +(void)arg; > +return "value must be On or Off"; > +} > + > > +#define AP_END_CMD AP_INIT_TAKE1(NULL, NULL, NULL, RSRC_CONF, NULL) > > const command_rec h2_cmds[] = { > AP_INIT_TAKE1("H2MaxSessionStreams", h2_conf_set_max_streams, NULL, > @@ -354,6 +376,8 @@ const command_rec h2_cmds[] = { > RSRC_CONF, "set the
Re: Thx and merit
+1, thanks Stefan! On Wed, Oct 14, 2015 at 2:58 PM, Jim Jagielskiwrote: > The ASF is all about recognizing and rewarding merit. The whole > "Apache Way" started here, with this project, and httpd has always > been the sort of "guiding light" and example of how Apache projects > (should) work. > > Inclusion of the HTTP/2 implementation for httpd, especially for > the 2.4.x branch, is a substantial feather in our cap. But we > would have been far behind the 8-ball if not for the funding by > the GSM Association on greenbytes GmbH's mod_h2 work, and for > the donation of that module to the ASF. > > Once again, I'd like to thank them personally!
Re: Thx and merit
Thanks to everyone for the kind words. It has been my pleasure to contribute to such a community as Apache and I plan on continuing doing so as much as possible. Many thanks to Jim, Eric, Yann, Rainer, Kaspar and all the others that have made me welcome here right from the start and who helped me settle in. It's a project with an immense history and there is always something more to learn about it. When Apache httpd now speaks HTTP/2, then it's mainly Tatsuhiro Tsujikawa's work in nghttp2 that made this feasible. Many thanks to his excellent work and his nice support! As Jeff wrote: this all would not have happened if not for the sponsoring of the GSMA and Telefonica. Particularly Dan Druta and Istvan Lajtos have been driving the idea from the start and Oscar Gonzalez accompanied the project in its execution phase. Great work! My employer, greenbytes, is also partly my company, so I could thank myself. However my partners, Julian Reschke and Martin Böttcher, also deserve thanks for supporting this endeavor. We are but a very small company and it is not possible to sponsor a full time person for a long duration. We will continue looking for sponsors to do work in Apache. Such projects really give the greatest worth for all parties involved as can be seen today. Again, Thanks! //Stefan > Am 14.10.2015 um 16:20 schrieb Yann Ylavic: > > +1, thanks Stefan! > > On Wed, Oct 14, 2015 at 2:58 PM, Jim Jagielski wrote: >> The ASF is all about recognizing and rewarding merit. The whole >> "Apache Way" started here, with this project, and httpd has always >> been the sort of "guiding light" and example of how Apache projects >> (should) work. >> >> Inclusion of the HTTP/2 implementation for httpd, especially for >> the 2.4.x branch, is a substantial feather in our cap. But we >> would have been far behind the 8-ball if not for the funding by >> the GSM Association on greenbytes GmbH's mod_h2 work, and for >> the donation of that module to the ASF. >> >> Once again, I'd like to thank them personally!
Re: Thx and merit
> On Oct 14, 2015, at 10:02 AM, Nick Kewwrote: > > On Wed, 14 Oct 2015 08:58:48 -0400 > Jim Jagielski wrote: > > >> Once again, I'd like to thank them personally! > > +1 to all that, with one small addition. > > Apache is about the individuals who participate. So the > chief thanks go to Stefan, who is of course now one of us. ++1!
Re: svn commit: r1708593 - in /httpd/httpd/trunk: docs/manual/mod/mod_http2.xml modules/http2/h2_config.c modules/http2/h2_config.h modules/http2/h2_conn.c modules/http2/h2_h2.c modules/http2/h2_h2.h
And we were all just getting so warm and fuzzy here... ;-) There are several areas where RFC 7540 says something that - let's say it like this - applies maybe to the Internet - whatever that is - but that Apache httpd should and will work in environments that have other needs. Instead of a unspecific "H2Compliance", we can make individual directive to address these parts. We already have: - H2Direct on|off, can enable direct mode on cleartext and TLS connections We can add - H2ModernTLSOnly on|off, to enforce TLS params as specified in the RFC and also enforced by modern browsers as described in https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility - H2UpgradeInTLS on|off, to allow HTTP/1.1 style Upgrade: on TLS connections ... (insert your wishes here) //Stefan > Am 14.10.2015 um 16:55 schrieb Roy T. Fielding: > > Can you please choose a more specific directive name? Like "LimitTLSunderH2". > > We don't have switches for RFC compliance. We do have switches for stupid WG > political positions that contradict common sense and are not applicable to > non-Internet deployments. > > Roy > > >> On Oct 14, 2015, at 5:10 AM, ic...@apache.org wrote: >> >> Author: icing >> Date: Wed Oct 14 12:10:11 2015 >> New Revision: 1708593 >> >> URL: http://svn.apache.org/viewvc?rev=1708593=rev >> Log: >> mod_http2: new directive H2Compliance on/off, checking TLS protocol and >> cipher against RFC7540 >> >> Modified: >> httpd/httpd/trunk/docs/manual/mod/mod_http2.xml >> httpd/httpd/trunk/modules/http2/h2_config.c >> httpd/httpd/trunk/modules/http2/h2_config.h >> httpd/httpd/trunk/modules/http2/h2_conn.c >> httpd/httpd/trunk/modules/http2/h2_h2.c >> httpd/httpd/trunk/modules/http2/h2_h2.h >> httpd/httpd/trunk/modules/http2/h2_switch.c >> >> Modified: httpd/httpd/trunk/docs/manual/mod/mod_http2.xml >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_http2.xml?rev=1708593=1708592=1708593=diff >> == >> --- httpd/httpd/trunk/docs/manual/mod/mod_http2.xml (original) >> +++ httpd/httpd/trunk/docs/manual/mod/mod_http2.xml Wed Oct 14 12:10:11 2015 >> @@ -74,11 +74,11 @@ >>Direct communication means that if the first bytes received >> by the >>server on a connection match the HTTP/2 preamble, the HTTP/2 >>protocol is switched to immediately without further >> negotiation. >> -This mode falls outside the RFC 7540 but has become widely >> implemented >> -on cleartext ports as it is very convenient for development >> and testing. >> +This mode is defined in RFC 7540 for the cleartext (h2c) >> case. Its >> +use on TLS connections is not allowed by the standard. >> >> >> -Since this detection implies that the client will send data >> on >> +Since this detection requires that the client will send >> data on >>new connection immediately, direct HTTP/2 mode is disabled by >>default. >> >> >> Modified: httpd/httpd/trunk/modules/http2/h2_config.c >> URL: >> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_config.c?rev=1708593=1708592=1708593=diff >> == >> --- httpd/httpd/trunk/modules/http2/h2_config.c (original) >> +++ httpd/httpd/trunk/modules/http2/h2_config.c Wed Oct 14 12:10:11 2015 >> @@ -49,6 +49,7 @@ static h2_config defconf = { >>0,/* serialize headers */ >>0,/* h2 direct mode */ >>-1, /* # session extra files */ >> +1,/* rfc 7540 compliance */ >> }; >> >> static int files_per_session = 0; >> @@ -100,6 +101,7 @@ static void *h2_config_create(apr_pool_t >>conf->serialize_headers= DEF_VAL; >>conf->h2_direct= DEF_VAL; >>conf->session_extra_files = DEF_VAL; >> +conf->rfc_compliance = DEF_VAL; >>return conf; >> } >> >> @@ -138,6 +140,7 @@ void *h2_config_merge(apr_pool_t *pool, >>n->serialize_headers = H2_CONFIG_GET(add, base, serialize_headers); >>n->h2_direct = H2_CONFIG_GET(add, base, h2_direct); >>n->session_extra_files = H2_CONFIG_GET(add, base, session_extra_files); >> +n->rfc_compliance = H2_CONFIG_GET(add, base, rfc_compliance); >> >>return n; >> } >> @@ -162,6 +165,8 @@ int h2_config_geti(h2_config *conf, h2_c >>return H2_CONFIG_GET(conf, , alt_svc_max_age); >>case H2_CONF_SER_HEADERS: >>return H2_CONFIG_GET(conf, , serialize_headers); >> +case H2_CONF_COMPLIANCE: >> +return H2_CONFIG_GET(conf, , rfc_compliance); >>case H2_CONF_DIRECT: >>return H2_CONFIG_GET(conf, , h2_direct); >>case H2_CONF_SESSION_FILES: >> @@ -332,8
Re: Thx and merit
Am 14.10.2015 um 14:58 schrieb Jim Jagielski: The ASF is all about recognizing and rewarding merit. The whole "Apache Way" started here, with this project, and httpd has always been the sort of "guiding light" and example of how Apache projects (should) work. Inclusion of the HTTP/2 implementation for httpd, especially for the 2.4.x branch, is a substantial feather in our cap. But we would have been far behind the 8-ball if not for the funding by the GSM Association on greenbytes GmbH's mod_h2 work, and for the donation of that module to the ASF. Once again, I'd like to thank them personally! +1 and big thanks to Stefan and Tatsuhiro Tsujikawa. Looking forward for early adopters experience! Regards, Rainer
Re: Thx and merit
My profound respect and gratitude to all the individuals involved in supporting, developing, testing and documenting h2. With love and awe, Buanzo. On 14 Oct 2015 11:02 am, "Nick Kew"wrote: > On Wed, 14 Oct 2015 08:58:48 -0400 > Jim Jagielski wrote: > > > > Once again, I'd like to thank them personally! > > +1 to all that, with one small addition. > > Apache is about the individuals who participate. So the > chief thanks go to Stefan, who is of course now one of us. > And of course honourable mentions to other developers > such as your good self. > > -- > Nick Kew >
Re: http2 tests
Am 14.10.2015 um 14:37 schrieb Stefan Eissing: Need some advice on how to expand our test framework. We had the problem that current test on 421 return codes failed as the current setup makes that depend on vhosts/other config interference. Undesirable. Also, I am adding more RFC 7540 compliant behaviour which means mod_http2 will check TLS protocol and ciphers. For this I think mod_http2 needs its own host as I do not want to mess with SSL test setups that need to perform in various environments. Any advice on how to add a test host (e.g. real port) to our test suite in the most compatible way? Not answering to your question but related to the thread subject: I noticed that the h2 tests do not run in a fixed order. That makes it a bit harder to compare test results, because the id of a failed test might change. Any idea why the order can change? I had a quick look, but didn't find a simple reason. Regards, Rainer
http2 tests
Need some advice on how to expand our test framework. We had the problem that current test on 421 return codes failed as the current setup makes that depend on vhosts/other config interference. Undesirable. Also, I am adding more RFC 7540 compliant behaviour which means mod_http2 will check TLS protocol and ciphers. For this I think mod_http2 needs its own host as I do not want to mess with SSL test setups that need to perform in various environments. Any advice on how to add a test host (e.g. real port) to our test suite in the most compatible way? Thanks! //Stefan
Re: http2 tests
On Wed, Oct 14, 2015 at 8:37 AM, Stefan Eissingwrote: > Any advice on how to add a test host (e.g. real port) to our test suite in > the most compatible way? 1426878 added an SSL vhost. It seems like there is a magic port assignment the config-generator and client share info about .
Thx and merit
The ASF is all about recognizing and rewarding merit. The whole "Apache Way" started here, with this project, and httpd has always been the sort of "guiding light" and example of how Apache projects (should) work. Inclusion of the HTTP/2 implementation for httpd, especially for the 2.4.x branch, is a substantial feather in our cap. But we would have been far behind the 8-ball if not for the funding by the GSM Association on greenbytes GmbH's mod_h2 work, and for the donation of that module to the ASF. Once again, I'd like to thank them personally!
Re: Thx and merit
On Wed, 14 Oct 2015 08:58:48 -0400 Jim Jagielskiwrote: > Once again, I'd like to thank them personally! +1 to all that, with one small addition. Apache is about the individuals who participate. So the chief thanks go to Stefan, who is of course now one of us. And of course honourable mentions to other developers such as your good self. -- Nick Kew
Re: Thx and merit
On Wed, Oct 14, 2015 at 8:58 AM, Jim Jagielskiwrote: > Inclusion of the HTTP/2 implementation for httpd, especially for > the 2.4.x branch, is a substantial feather in our cap. But we > would have been far behind the 8-ball if not for the funding by > the GSM Association on greenbytes GmbH's mod_h2 work, and for > the donation of that module to the ASF. +1!
Re: Thx and merit
Indeed, +1! With regards, Daniel On 10/14/2015, 2:58:48 PM, Jim Jagielskiwrote: > The ASF is all about recognizing and rewarding merit. The whole > "Apache Way" started here, with this project, and httpd has always > been the sort of "guiding light" and example of how Apache projects > (should) work. > > Inclusion of the HTTP/2 implementation for httpd, especially for > the 2.4.x branch, is a substantial feather in our cap. But we > would have been far behind the 8-ball if not for the funding by > the GSM Association on greenbytes GmbH's mod_h2 work, and for > the donation of that module to the ASF. > > Once again, I'd like to thank them personally! > -- Sent via Pony Mail for dev@httpd.apache.org. View this email online at: https://pony-poc.apache.org/list.html?dev@httpd.apache.org
Re: Thx and merit
On Wed, Oct 14, 2015 at 8:58 AM, Jim Jagielskiwrote: > The ASF is all about recognizing and rewarding merit. The whole > "Apache Way" started here, with this project, and httpd has always > been the sort of "guiding light" and example of how Apache projects > (should) work. > > Inclusion of the HTTP/2 implementation for httpd, especially for > the 2.4.x branch, is a substantial feather in our cap. But we > would have been far behind the 8-ball if not for the funding by > the GSM Association on greenbytes GmbH's mod_h2 work, and for > the donation of that module to the ASF. > > Once again, I'd like to thank them personally! > +1! -- Born in Roswell... married an alien... http://emptyhammock.com/
Re: Thx and merit
And credits to Tatsuhiro Tsujikawa for his excellent nghttp2 Library work. Steffen On Wednesday 14/10/2015 at 16:04, Nick Kew wrote: On Wed, 14 Oct 2015 08:58:48 -0400 Jim Jagielskiwrote: Once again, I'd like to thank them personally! +1 to all that, with one small addition. Apache is about the individuals who participate. So the chief thanks go to Stefan, who is of course now one of us. And of course honourable mentions to other developers such as your good self. -- Nick Kew
Re: Thx and merit
On Wed, Oct 14, 2015 at 10:02 AM, Nick Kewwrote: > On Wed, 14 Oct 2015 08:58:48 -0400 > Jim Jagielski wrote: > > > > Once again, I'd like to thank them personally! > > +1 to all that, with one small addition. > > Apache is about the individuals who participate. So the > chief thanks go to Stefan, who is of course now one of us. > And of course honourable mentions to other developers > such as your good self. > > -- > Nick Kew > I almost hate to say this because I don't want to take anything away from Stefan, but companies sponsoring work are essentially the people behind the scenes that we never hear about who are open to or are in fact the driving force for aligning business goals with development that can be shared with everyone else, sometimes at the risk of having it blow up in their face if somebody says the wrong thing or someone in the project can't separate suspected motivation from assessment of utility. -- Born in Roswell... married an alien... http://emptyhammock.com/