- From: Willy Tarreau <w@1wt.eu>
- Date: Sat, 26 Sep 2015 11:14:57 +0200
- To: Ilari Liusvaara <ilari.liusvaara@elisanet.fi>
- Cc: HTTP Working Group <ietf-http-wg@w3.org>
On Sat, Sep 26, 2015 at 11:01:44AM +0300, Ilari Liusvaara wrote: > There is friction with HTTP/2 connection coalescing here: > - "Global": If connection is for origins A and B, even if cert is > authorized for A, it might not be authorized for B. Note, connection coalescing can only be performed by an entity having access to the cert, simply because HTTP passes *over* the authenticated TLS connection. Thus when it can happen (eg: reverse proxy, or CDN), it's the equipement's cert that will be presented to the server. However we still need to make it possible and standard to pass the client-auth information *inside* HTTP so that each stream can carry the relevant information. That's what many SSL gateways do by adding X-SSL-whatever headers right now, and which could be much cleaner in HTTP/2. Regards, Willy
Received on Saturday, 26 September 2015 09:15:28 UTC