SNI requirement for H2

All,

While looking at https://github.com/molnarg/node-http2/issues/69 I came to
the realization that it appears we have (unintentionally) made it
impossible to speak h2 when connecting directly to an IP address (as in, IP
address typed into URL bar as opposed to hostname typed into URL bar) and
remain compliant with both the h2 spec and RFC 6066. 6066 specifies that
SNI is not to be sent for an IP literal, while h2 requires SNI. You can see
the conflict.

In node-http2, we have decided to relax the SNI requirement, and still
speak h2 to clients that don't give us any SNI, under the assumption that
this (IP in URL bar, or equivalent) is the case we are hitting. I had also
filed a bug against Firefox to stop advertising h2 in the cases where we
won't send SNI, but am rethinking that idea, as it was pointed out (rightly
so) that a lot of test servers never have a hostname associated with them,
and not being able to talk h2 to test servers seems like a Bad Idea :)

FWIW, I checked Safari, Chrome, IE (11 on Windows 7), and Firefox. Both
Safari and Chrome send SNI regardless of IP or hostname, so they will not
run into this problem. IE and Firefox both send SNI only for hostnames (at
least in the configurations I tested), so they will hit this problem.
(Obvious caveat: non-Firefox browsers may have changed their behavior in
later versions than I have access to, so of course my testing may not hold
true in the future.)

I talked briefly to Martin offline, and he says we may be able to get a
clarification on this point in during AUTH48 to (my words, now, not his)
perhaps relax this restriction, or at least make it clear that you probably
don't need to require SNI in a testing situation, in order to avoid this
problem.

Thoughts?

Received on Friday, 3 April 2015 18:38:05 UTC