Re: New Version Notification for draft-nottingham-http2-encryption-02.txt

On Thu, Dec 12, 2013 at 03:52:22PM +1100, Mark Nottingham wrote:

(The difference between h2t and h2r)

> Yep, that's been discussed a few times, it's an open question.
> One possible use is that the server may want/need to know whether or
> not the client is validating the cert; e.g., a bank.

Or client knowing if server supports HTTP-over-HTTPS (sending HTTP
requests over HTTP/TLS)? Or does h2t or HTTP/2.0 already imply it?
I have seen at least one HTTP/1.1 server that fails in dangerous
way[1] (and knowing it is apache probably means there are a lot
more of those) if one tries using HTTP-over-HTTPS.

Also, internally using HTTPS on HTTPS could cause some (bady
written) things to fail as client and server could then disagree
about the protocol.

[1] Essentially, returning wrong data without error.


Received on Thursday, 12 December 2013 07:53:51 UTC