Re: SNI requirement for H2 from Roberto Peon on 2015-04-03 (ietf-http-wg@w3.org from April to June 2015)

From: Roberto Peon <grmocg@gmail.com>
Date: Fri, 3 Apr 2015 12:06:36 -0700
To: Nicholas Hurley <hurley@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAP+FsNcGAJjRXpQPKOs9rLk-5=JYjj24=DxNHCAv+Mib5v+2GA@mail.gmail.com>

Does anyone recall why 6066 has no SNI for IP literals? (It could be an
empty SNI field or the SNI could indicate the IP literal)?
-=R

On Fri, Apr 3, 2015 at 11:37 AM, Nicholas Hurley <hurley@mozilla.com> wrote:

> All,
>
> While looking at https://github.com/molnarg/node-http2/issues/69 I came
> to the realization that it appears we have (unintentionally) made it
> impossible to speak h2 when connecting directly to an IP address (as in, IP
> address typed into URL bar as opposed to hostname typed into URL bar) and
> remain compliant with both the h2 spec and RFC 6066. 6066 specifies that
> SNI is not to be sent for an IP literal, while h2 requires SNI. You can see
> the conflict.
>
> In node-http2, we have decided to relax the SNI requirement, and still
> speak h2 to clients that don't give us any SNI, under the assumption that
> this (IP in URL bar, or equivalent) is the case we are hitting. I had also
> filed a bug against Firefox to stop advertising h2 in the cases where we
> won't send SNI, but am rethinking that idea, as it was pointed out (rightly
> so) that a lot of test servers never have a hostname associated with them,
> and not being able to talk h2 to test servers seems like a Bad Idea :)
>
> FWIW, I checked Safari, Chrome, IE (11 on Windows 7), and Firefox. Both
> Safari and Chrome send SNI regardless of IP or hostname, so they will not
> run into this problem. IE and Firefox both send SNI only for hostnames (at
> least in the configurations I tested), so they will hit this problem.
> (Obvious caveat: non-Firefox browsers may have changed their behavior in
> later versions than I have access to, so of course my testing may not hold
> true in the future.)
>
> I talked briefly to Martin offline, and he says we may be able to get a
> clarification on this point in during AUTH48 to (my words, now, not his)
> perhaps relax this restriction, or at least make it clear that you probably
> don't need to require SNI in a testing situation, in order to avoid this
> problem.
>
> Thoughts?
>

Received on Friday, 3 April 2015 19:07:03 UTC