same connection, different hosts

This is an interop question in relation to 421, section 9.1.2.

When a HTTP/2 server has several virtual hosts configured over TLS, there might be an overlap in the subject alternate names (be it by wildcards or not). AFAIK clients are trying to reuse existing connections by checking their subject names for a match. Since authority is specified for every stream, the server is able to identify the proper host to process the stream in.

However, for several reasons, the server might wish to answer such requests with a 421. With the expectation that the client opens/reuses another connection, using the relevant authority in the SNI on that connection. Do client implementors/spec wizard agree that this is a reasonable expectation?



Opposite to that behavior is a server that does not really care what SNI on a connection was specified and will happily dispatch requests based on stream authority to its virtual servers. Especially servers with wildcard certificates will probably behave like that. This can lead to the client seeing different certificates for the same web resource, depending which connection it already had open when starting a request. Without precaution, it might even get resources from different connections with different certificates for a specific browsing session, e.g. web page.

A user of mod_h2 was confused since one of his test sites with an invalid cert became perfectly browsable as he had a wildcard cert on another vhost and had navigated there first…

Is this an issue? What would be the advice for client implementations / server configurations here? Apart from „don’t do that“, of course. I could imagine that some people who want to anti-shard their sites when using HTTP/2 might stumble into such situations.

Thanks,

  Stefan


<green/>bytes GmbH
Hafenweg 16, 48155 Münster, Germany
Phone: +49 251 2807760. Amtsgericht Münster: HRB5782

Received on Wednesday, 27 May 2015 13:03:55 UTC