On Tue 2015-06-09 13:43:59 -0400, Roy T. Fielding wrote:
> WRT renegotiation, it is fair to say that the WG punted on the idea
> due to lack of time. If someone figures out a way to safely
> renegotiate an h2 connection (and all of its streams), then go ahead
> and implement it, describe it in an
> On Jun 9, 2015, at 3:42 AM, Yann Ylavic wrote:
>
> It just needed to get out :)
>
> But I agree that since we are to implement the RFC, we must comply,
> and find a way to still comply with HTTP/1.
> Both checks on SNI and renegotiation occur in the post_read_request
> hook, so we should be ab
It just needed to get out :)
But I agree that since we are to implement the RFC, we must comply,
and find a way to still comply with HTTP/1.
Both checks on SNI and renegotiation occur in the post_read_request
hook, so we should be able to deal with vhost's parameters (configured
Protocols, Protoco
Yann, I am with you and feel at least unease about this mixing.
But the RFC has been approved and browsers will adhere to it. So if we do not
enforce some policies in the server, connections will fail for mysterious
reasons. And tickets will be raised...
> Am 09.06.2015 um 12:06 schrieb Yann Y
On Tue, Jun 9, 2015 at 11:21 AM, Stefan Eissing
wrote:
>
> Also from RFC 7540, 9.2.1
> "A deployment of HTTP/2 over TLS 1.2 MUST disable renegotiation.“
>
> (Once the h2 session is established, renegotiation may appear before that.)
>
> This is all a result of the „securing the web“ thinking where
Btw. I have the first report from a user that gets 400 answers in browsers when
mod_h2 is active because the browser reused the connection for another host.
Also from RFC 7540, 9.2.1
"A deployment of HTTP/2 over TLS 1.2 MUST disable renegotiation.“
(Once the h2 session is established, renegotiat
>
> What's the point of SNI if it can be used to select the correct vhost
> before the handshake (modulo the port...), but TLS must possibly be
> renegotiated later for subsequent requests?
>
In configs that use separate certificates, it gets you the correct one, and
these are n/a to the coalescin