Re: svn commit: r1708593 - in /httpd/httpd/trunk: docs/manual/mod/mod_http2.xml modules/http2/h2_config.c modules/http2/h2_config.h modules/http2/h2_conn.c modules/http2/h2_h2.c modules/http2/h2_h2.h

[Roy T. Fielding]

Can you please choose a more specific directive name? Like "LimitTLSunderH2".

We don't have switches for RFC compliance. We do have switches for stupid WG 
political positions that contradict common sense and are not applicable to 
non-Internet deployments.

Roy


> On Oct 14, 2015, at 5:10 AM, ic...@apache.org wrote:
> 
> Author: icing
> Date: Wed Oct 14 12:10:11 2015
> New Revision: 1708593
> 
> URL: http://svn.apache.org/viewvc?rev=1708593=rev
> Log:
> mod_http2: new directive H2Compliance on/off, checking TLS protocol and 
> cipher against RFC7540
> 
> Modified:
>httpd/httpd/trunk/docs/manual/mod/mod_http2.xml
>httpd/httpd/trunk/modules/http2/h2_config.c
>httpd/httpd/trunk/modules/http2/h2_config.h
>httpd/httpd/trunk/modules/http2/h2_conn.c
>httpd/httpd/trunk/modules/http2/h2_h2.c
>httpd/httpd/trunk/modules/http2/h2_h2.h
>httpd/httpd/trunk/modules/http2/h2_switch.c
> 
> Modified: httpd/httpd/trunk/docs/manual/mod/mod_http2.xml
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_http2.xml?rev=1708593=1708592=1708593=diff
> ==
> --- httpd/httpd/trunk/docs/manual/mod/mod_http2.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/mod_http2.xml Wed Oct 14 12:10:11 2015
> @@ -74,11 +74,11 @@
> Direct communication means that if the first bytes received 
> by the 
> server on a connection match the HTTP/2 preamble, the HTTP/2
> protocol is switched to immediately without further 
> negotiation.
> -This mode falls outside the RFC 7540 but has become widely 
> implemented
> -on cleartext ports as it is very convenient for development 
> and testing. 
> +This mode is defined in RFC 7540 for the cleartext (h2c) 
> case. Its
> +use on TLS connections is not allowed by the standard.
> 
> 
> -Since this detection implies that the client will send data 
> on
> +Since this detection requires that the client will send data 
> on
> new connection immediately, direct HTTP/2 mode is disabled by
> default.
> 
> 
> Modified: httpd/httpd/trunk/modules/http2/h2_config.c
> URL: 
> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_config.c?rev=1708593=1708592=1708593=diff
> ==
> --- httpd/httpd/trunk/modules/http2/h2_config.c (original)
> +++ httpd/httpd/trunk/modules/http2/h2_config.c Wed Oct 14 12:10:11 2015
> @@ -49,6 +49,7 @@ static h2_config defconf = {
> 0,/* serialize headers */
> 0,/* h2 direct mode */
> -1,   /* # session extra files */
> +1,/* rfc 7540 compliance */
> };
> 
> static int files_per_session = 0;
> @@ -100,6 +101,7 @@ static void *h2_config_create(apr_pool_t
> conf->serialize_headers= DEF_VAL;
> conf->h2_direct= DEF_VAL;
> conf->session_extra_files  = DEF_VAL;
> +conf->rfc_compliance   = DEF_VAL;
> return conf;
> }
> 
> @@ -138,6 +140,7 @@ void *h2_config_merge(apr_pool_t *pool,
> n->serialize_headers = H2_CONFIG_GET(add, base, serialize_headers);
> n->h2_direct  = H2_CONFIG_GET(add, base, h2_direct);
> n->session_extra_files = H2_CONFIG_GET(add, base, session_extra_files);
> +n->rfc_compliance = H2_CONFIG_GET(add, base, rfc_compliance);
> 
> return n;
> }
> @@ -162,6 +165,8 @@ int h2_config_geti(h2_config *conf, h2_c
> return H2_CONFIG_GET(conf, , alt_svc_max_age);
> case H2_CONF_SER_HEADERS:
> return H2_CONFIG_GET(conf, , serialize_headers);
> +case H2_CONF_COMPLIANCE:
> +return H2_CONFIG_GET(conf, , rfc_compliance);
> case H2_CONF_DIRECT:
> return H2_CONFIG_GET(conf, , h2_direct);
> case H2_CONF_SESSION_FILES:
> @@ -332,8 +337,25 @@ static const char *h2_conf_set_direct(cm
> return "value must be On or Off";
> }
> 
> -#define AP_END_CMD AP_INIT_TAKE1(NULL, NULL, NULL, RSRC_CONF, NULL)
> +static const char *h2_conf_set_compliance(cmd_parms *parms,
> +  void *arg, const char *value)
> +{
> +h2_config *cfg = h2_config_sget(parms->server);
> +if (!strcasecmp(value, "On")) {
> +cfg->rfc_compliance = 1;
> +return NULL;
> +}
> +else if (!strcasecmp(value, "Off")) {
> +cfg->rfc_compliance = 0;
> +return NULL;
> +}
> +
> +(void)arg;
> +return "value must be On or Off";
> +}
> +
> 
> +#define AP_END_CMD AP_INIT_TAKE1(NULL, NULL, NULL, RSRC_CONF, NULL)
> 
> const command_rec h2_cmds[] = {
> AP_INIT_TAKE1("H2MaxSessionStreams", h2_conf_set_max_streams, NULL,
> @@ -354,6 +376,8 @@ const command_rec h2_cmds[] = {
>   RSRC_CONF, "set the 

Re: Thx and merit

[Yann Ylavic]

+1, thanks Stefan!

On Wed, Oct 14, 2015 at 2:58 PM, Jim Jagielski  wrote:
> The ASF is all about recognizing and rewarding merit. The whole
> "Apache Way" started here, with this project, and httpd has always
> been the sort of "guiding light" and example of how Apache projects
> (should) work.
>
> Inclusion of the HTTP/2 implementation for httpd, especially for
> the 2.4.x branch, is a substantial feather in our cap. But we
> would have been far behind the 8-ball if not for the funding by
> the GSM Association on greenbytes GmbH's mod_h2 work, and for
> the donation of that module to the ASF.
>
> Once again, I'd like to thank them personally!

Re: Thx and merit

[Stefan Eissing]

Thanks to everyone for the kind words. It has been my pleasure
to contribute to such a community as Apache and I plan on 
continuing doing so as much as possible. 

Many thanks to Jim, Eric, Yann, Rainer, Kaspar and all the
others that have made me welcome here right from the start and 
who helped me settle in. It's a project with an immense history
and there is always something more to learn about it.

When Apache httpd now speaks HTTP/2, then it's mainly 
Tatsuhiro Tsujikawa's work in nghttp2 that made this feasible. 
Many thanks to his excellent work and his nice support!

As Jeff wrote: this all would not have happened if not for the 
sponsoring of the GSMA and Telefonica. Particularly
Dan Druta and Istvan Lajtos have been driving the idea from the
start and Oscar Gonzalez accompanied the project in its execution 
phase. Great work!

My employer, greenbytes, is also partly my company, so I could 
thank myself. However my partners, Julian Reschke and Martin Böttcher,
also deserve thanks for supporting this endeavor.

We are but a very small company and it is not possible to sponsor
a full time person for a long duration. We will continue looking
for sponsors to do work in Apache. Such projects really give 
the greatest worth for all parties involved as can be seen today.

Again, Thanks!

//Stefan

> Am 14.10.2015 um 16:20 schrieb Yann Ylavic :
> 
> +1, thanks Stefan!
> 
> On Wed, Oct 14, 2015 at 2:58 PM, Jim Jagielski  wrote:
>> The ASF is all about recognizing and rewarding merit. The whole
>> "Apache Way" started here, with this project, and httpd has always
>> been the sort of "guiding light" and example of how Apache projects
>> (should) work.
>> 
>> Inclusion of the HTTP/2 implementation for httpd, especially for
>> the 2.4.x branch, is a substantial feather in our cap. But we
>> would have been far behind the 8-ball if not for the funding by
>> the GSM Association on greenbytes GmbH's mod_h2 work, and for
>> the donation of that module to the ASF.
>> 
>> Once again, I'd like to thank them personally!

Re: Thx and merit

[Jim Jagielski]

> On Oct 14, 2015, at 10:02 AM, Nick Kew  wrote:
> 
> On Wed, 14 Oct 2015 08:58:48 -0400
> Jim Jagielski  wrote:
> 
> 
>> Once again, I'd like to thank them personally!
> 
> +1 to all that, with one small addition.
> 
> Apache is about the individuals who participate.  So the
> chief thanks go to Stefan, who is of course now one of us.

++1!

Re: svn commit: r1708593 - in /httpd/httpd/trunk: docs/manual/mod/mod_http2.xml modules/http2/h2_config.c modules/http2/h2_config.h modules/http2/h2_conn.c modules/http2/h2_h2.c modules/http2/h2_h2.h

[Stefan Eissing]

And we were all just getting so warm and fuzzy here... ;-)

There are several areas where RFC 7540 says something that - let's say it 
like this - applies maybe to the Internet - whatever that is - but that
Apache httpd should and will work in environments that have other needs.

Instead of a unspecific "H2Compliance", we can make individual directive
to address these parts. 

We already have:
- H2Direct on|off, can enable direct mode on cleartext and TLS connections

We can add
- H2ModernTLSOnly on|off, to enforce TLS params as specified in the RFC and 
also enforced by modern browsers as described in 
https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
- H2UpgradeInTLS on|off, to allow HTTP/1.1 style Upgrade: on TLS connections
...
(insert your wishes here)

//Stefan

> Am 14.10.2015 um 16:55 schrieb Roy T. Fielding :
> 
> Can you please choose a more specific directive name? Like "LimitTLSunderH2".
> 
> We don't have switches for RFC compliance. We do have switches for stupid WG 
> political positions that contradict common sense and are not applicable to 
> non-Internet deployments.
> 
> Roy
> 
> 
>> On Oct 14, 2015, at 5:10 AM, ic...@apache.org wrote:
>> 
>> Author: icing
>> Date: Wed Oct 14 12:10:11 2015
>> New Revision: 1708593
>> 
>> URL: http://svn.apache.org/viewvc?rev=1708593=rev
>> Log:
>> mod_http2: new directive H2Compliance on/off, checking TLS protocol and 
>> cipher against RFC7540
>> 
>> Modified:
>>   httpd/httpd/trunk/docs/manual/mod/mod_http2.xml
>>   httpd/httpd/trunk/modules/http2/h2_config.c
>>   httpd/httpd/trunk/modules/http2/h2_config.h
>>   httpd/httpd/trunk/modules/http2/h2_conn.c
>>   httpd/httpd/trunk/modules/http2/h2_h2.c
>>   httpd/httpd/trunk/modules/http2/h2_h2.h
>>   httpd/httpd/trunk/modules/http2/h2_switch.c
>> 
>> Modified: httpd/httpd/trunk/docs/manual/mod/mod_http2.xml
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_http2.xml?rev=1708593=1708592=1708593=diff
>> ==
>> --- httpd/httpd/trunk/docs/manual/mod/mod_http2.xml (original)
>> +++ httpd/httpd/trunk/docs/manual/mod/mod_http2.xml Wed Oct 14 12:10:11 2015
>> @@ -74,11 +74,11 @@
>>Direct communication means that if the first bytes received 
>> by the 
>>server on a connection match the HTTP/2 preamble, the HTTP/2
>>protocol is switched to immediately without further 
>> negotiation.
>> -This mode falls outside the RFC 7540 but has become widely 
>> implemented
>> -on cleartext ports as it is very convenient for development 
>> and testing. 
>> +This mode is defined in RFC 7540 for the cleartext (h2c) 
>> case. Its
>> +use on TLS connections is not allowed by the standard.
>>
>>
>> -Since this detection implies that the client will send data 
>> on
>> +Since this detection requires that the client will send 
>> data on
>>new connection immediately, direct HTTP/2 mode is disabled by
>>default.
>>
>> 
>> Modified: httpd/httpd/trunk/modules/http2/h2_config.c
>> URL: 
>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_config.c?rev=1708593=1708592=1708593=diff
>> ==
>> --- httpd/httpd/trunk/modules/http2/h2_config.c (original)
>> +++ httpd/httpd/trunk/modules/http2/h2_config.c Wed Oct 14 12:10:11 2015
>> @@ -49,6 +49,7 @@ static h2_config defconf = {
>>0,/* serialize headers */
>>0,/* h2 direct mode */
>>-1,   /* # session extra files */
>> +1,/* rfc 7540 compliance */
>> };
>> 
>> static int files_per_session = 0;
>> @@ -100,6 +101,7 @@ static void *h2_config_create(apr_pool_t
>>conf->serialize_headers= DEF_VAL;
>>conf->h2_direct= DEF_VAL;
>>conf->session_extra_files  = DEF_VAL;
>> +conf->rfc_compliance   = DEF_VAL;
>>return conf;
>> }
>> 
>> @@ -138,6 +140,7 @@ void *h2_config_merge(apr_pool_t *pool,
>>n->serialize_headers = H2_CONFIG_GET(add, base, serialize_headers);
>>n->h2_direct  = H2_CONFIG_GET(add, base, h2_direct);
>>n->session_extra_files = H2_CONFIG_GET(add, base, session_extra_files);
>> +n->rfc_compliance = H2_CONFIG_GET(add, base, rfc_compliance);
>> 
>>return n;
>> }
>> @@ -162,6 +165,8 @@ int h2_config_geti(h2_config *conf, h2_c
>>return H2_CONFIG_GET(conf, , alt_svc_max_age);
>>case H2_CONF_SER_HEADERS:
>>return H2_CONFIG_GET(conf, , serialize_headers);
>> +case H2_CONF_COMPLIANCE:
>> +return H2_CONFIG_GET(conf, , rfc_compliance);
>>case H2_CONF_DIRECT:
>>return H2_CONFIG_GET(conf, , h2_direct);
>>case H2_CONF_SESSION_FILES:
>> @@ -332,8 

Re: Thx and merit

[Rainer Jung]

Am 14.10.2015 um 14:58 schrieb Jim Jagielski:

The ASF is all about recognizing and rewarding merit. The whole
"Apache Way" started here, with this project, and httpd has always
been the sort of "guiding light" and example of how Apache projects
(should) work.

Inclusion of the HTTP/2 implementation for httpd, especially for
the 2.4.x branch, is a substantial feather in our cap. But we
would have been far behind the 8-ball if not for the funding by
the GSM Association on greenbytes GmbH's mod_h2 work, and for
the donation of that module to the ASF.

Once again, I'd like to thank them personally!


+1 and big thanks to Stefan and Tatsuhiro Tsujikawa.

Looking forward for early adopters experience!

Regards,

Rainer

Re: Thx and merit

[Arturo 'Buanzo' Busleiman]

My profound respect and gratitude to all the individuals involved in
supporting, developing, testing and documenting h2.

With love and awe,
Buanzo.
On 14 Oct 2015 11:02 am, "Nick Kew"  wrote:

> On Wed, 14 Oct 2015 08:58:48 -0400
> Jim Jagielski  wrote:
>
>
> > Once again, I'd like to thank them personally!
>
> +1 to all that, with one small addition.
>
> Apache is about the individuals who participate.  So the
> chief thanks go to Stefan, who is of course now one of us.
> And of course honourable mentions to other developers
> such as your good self.
>
> --
> Nick Kew
>

Re: http2 tests

[Rainer Jung]

Am 14.10.2015 um 14:37 schrieb Stefan Eissing:

Need some advice on how to expand our test framework. We had the problem that 
current test on 421 return codes failed as the current setup makes that depend 
on vhosts/other config interference. Undesirable.

Also, I am adding more RFC 7540 compliant behaviour which means mod_http2 will 
check TLS protocol and ciphers. For this I think mod_http2 needs its own host 
as I do not want to mess with SSL test setups that need to perform in various 
environments.

Any advice on how to add a test host (e.g. real port) to our test suite in the 
most compatible way?


Not answering to your question but related to the thread subject: I 
noticed that the h2 tests do not run in a fixed order. That makes it a 
bit harder to compare test results, because the id of a failed test 
might change. Any idea why the order can change? I had a quick look, but 
didn't find a simple reason.


Regards,

Rainer

http2 tests

[Stefan Eissing]

Need some advice on how to expand our test framework. We had the problem that 
current test on 421 return codes failed as the current setup makes that depend 
on vhosts/other config interference. Undesirable.

Also, I am adding more RFC 7540 compliant behaviour which means mod_http2 will 
check TLS protocol and ciphers. For this I think mod_http2 needs its own host 
as I do not want to mess with SSL test setups that need to perform in various 
environments.

Any advice on how to add a test host (e.g. real port) to our test suite in the 
most compatible way? 

Thanks!

//Stefan

Re: http2 tests

[Eric Covener]

On Wed, Oct 14, 2015 at 8:37 AM, Stefan Eissing
 wrote:
> Any advice on how to add a test host (e.g. real port) to our test suite in 
> the most compatible way?

1426878 added an SSL vhost. It seems like there is a magic port
assignment the config-generator and client share info about .

Thx and merit

[Jim Jagielski]

The ASF is all about recognizing and rewarding merit. The whole
"Apache Way" started here, with this project, and httpd has always
been the sort of "guiding light" and example of how Apache projects
(should) work.

Inclusion of the HTTP/2 implementation for httpd, especially for
the 2.4.x branch, is a substantial feather in our cap. But we
would have been far behind the 8-ball if not for the funding by
the GSM Association on greenbytes GmbH's mod_h2 work, and for
the donation of that module to the ASF.

Once again, I'd like to thank them personally!

Re: Thx and merit

[Nick Kew]

On Wed, 14 Oct 2015 08:58:48 -0400
Jim Jagielski  wrote:


> Once again, I'd like to thank them personally!

+1 to all that, with one small addition.

Apache is about the individuals who participate.  So the
chief thanks go to Stefan, who is of course now one of us.
And of course honourable mentions to other developers
such as your good self.

-- 
Nick Kew

Re: Thx and merit

[Eric Covener]

On Wed, Oct 14, 2015 at 8:58 AM, Jim Jagielski  wrote:
> Inclusion of the HTTP/2 implementation for httpd, especially for
> the 2.4.x branch, is a substantial feather in our cap. But we
> would have been far behind the 8-ball if not for the funding by
> the GSM Association on greenbytes GmbH's mod_h2 work, and for
> the donation of that module to the ASF.

+1!

Re: Thx and merit

[Daniel Gruno]

Indeed, +1!

With regards,
Daniel

On 10/14/2015, 2:58:48 PM, Jim Jagielski  wrote: 
> The ASF is all about recognizing and rewarding merit. The whole
> "Apache Way" started here, with this project, and httpd has always
> been the sort of "guiding light" and example of how Apache projects
> (should) work.
> 
> Inclusion of the HTTP/2 implementation for httpd, especially for
> the 2.4.x branch, is a substantial feather in our cap. But we
> would have been far behind the 8-ball if not for the funding by
> the GSM Association on greenbytes GmbH's mod_h2 work, and for
> the donation of that module to the ASF.
> 
> Once again, I'd like to thank them personally!
> 
--
Sent via Pony Mail for dev@httpd.apache.org. 
View this email online at:
https://pony-poc.apache.org/list.html?dev@httpd.apache.org

Re: Thx and merit

[Jeff Trawick]

On Wed, Oct 14, 2015 at 8:58 AM, Jim Jagielski  wrote:

> The ASF is all about recognizing and rewarding merit. The whole
> "Apache Way" started here, with this project, and httpd has always
> been the sort of "guiding light" and example of how Apache projects
> (should) work.
>
> Inclusion of the HTTP/2 implementation for httpd, especially for
> the 2.4.x branch, is a substantial feather in our cap. But we
> would have been far behind the 8-ball if not for the funding by
> the GSM Association on greenbytes GmbH's mod_h2 work, and for
> the donation of that module to the ASF.
>
> Once again, I'd like to thank them personally!
>

+1!

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Re: Thx and merit

[Steffen]

And credits to Tatsuhiro Tsujikawa for his excellent nghttp2 Library 
work.


Steffen


On Wednesday 14/10/2015 at 16:04, Nick Kew  wrote:

On Wed, 14 Oct 2015 08:58:48 -0400
Jim Jagielski  wrote:




Once again, I'd like to thank them personally!


+1 to all that, with one small addition.

Apache is about the individuals who participate.  So the
chief thanks go to Stefan, who is of course now one of us.
And of course honourable mentions to other developers
such as your good self.

--
Nick Kew

Re: Thx and merit

[Jeff Trawick]

On Wed, Oct 14, 2015 at 10:02 AM, Nick Kew  wrote:

> On Wed, 14 Oct 2015 08:58:48 -0400
> Jim Jagielski  wrote:
>
>
> > Once again, I'd like to thank them personally!
>
> +1 to all that, with one small addition.
>
> Apache is about the individuals who participate.  So the
> chief thanks go to Stefan, who is of course now one of us.
> And of course honourable mentions to other developers
> such as your good self.
>
> --
> Nick Kew
>

I almost hate to say this because I don't want to take anything away from
Stefan, but companies sponsoring work are essentially the people behind the
scenes that we never hear about who are open to or are in fact the driving
force for aligning business goals with development that can be shared with
everyone else, sometimes at the risk of having it blow up in their face if
somebody says the wrong thing or someone in the project can't separate
suspected motivation from assessment of utility.

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/