- From: Brian Smith <brian@briansmith.org>
- Date: Tue, 28 Jan 2014 13:37:25 -0800
- To: Mike Belshe <mike@belshe.com>
- Cc: Martin Thomson <martin.thomson@gmail.com>, HTTP Working Group <ietf-http-wg@w3.org>
On Sat, Jan 25, 2014 at 5:01 AM, Mike Belshe <mike@belshe.com> wrote: > On the good news side, almost nobody uses client auth or renegotiation. > This is in part due to the fact that it just doesn't work well with any > protocol, HTTP/1 or otherwise. With that in mind, here's a strawman: 1. When "h2" has been negotiated (through ALPN/NPN/whatever), then TLS renegotiation MUST NOT be done on the connection. This would mean that if HTTP/2 is negotiated during the initial handshake then TLS renegotiation will never happen on the connection, and if HTTP/2 is negotiated during a renegotiation then no more renegotiation handshakes will be done. 2. If the server negotiates the protocol "h2r" then the client MUST immediately initiate a renegotiation, offering only the "h2" protocol, the client must wait for the renegotiation once it receives the hello_request, and the client MUST NOT send any application data or do any coalescing until the renegotiation handshake has completed. 3. Clients that offer the "h2" protocol during the initial handshake and that support TLS renegotiation for HTTP/1 connections SHOULD offer the "h2r" protocol during the initial handshake. Clients that do not support renegotiation MUST NOT offer the "h2r" protocol. The effect would be that there may only be one renegotiation on a HTTP/2 connection and that renegotiation must happen at the very beginning of the handshake, before any coalescing has been done and before any data has been sent. Note that "h2r" would implicitly disable False Start. The main advantage of this proposal is that it provides a way for servers that require client certificate authentication to work with HTTP/2, increasing backward compatibility. The secondary advantage of this proposal is that it prevents the issues that clients currently have of mapping requests/responses to client and/or server certificates. The primary disadvantage of this proposal is that it requires the application to be more aware of renegotiations than it previously was. Unlike the "http-tls-relaxed" option negotiation that I objected to before, the "h2r" option for negotiating renegotiation doesn't disclose any security-sensitive information, unless knowing that the client supports renegotiation or not is security-sensitive. AFAICT, it is an additional fingerprinting risk but it isn't otherwise security-sensitive assuming a correct and secure implementation of renegotiation by both parties (a big assumption). Cheers, Brian
Received on Tuesday, 28 January 2014 21:37:52 UTC