- From: Erik Nygren <erik@nygren.org>
- Date: Fri, 29 May 2015 17:02:38 -0400
- To: Martin Thomson <martin.thomson@gmail.com>
- Cc: Stefan Eissing <stefan.eissing@greenbytes.de>, HTTP Working Group <ietf-http-wg@w3.org>
- Message-ID: <CAKC-DJjbBd-Wffa=pY111jGOSbMnZaZMx7eHLarcr-0076qi8A@mail.gmail.com>
I have some concerns that in moving from a SHOULD NOT to a MAY, client behaviors on connection sharing may be underspecified in ways that make it very hard for server operators to avoid degenerate situations. Sending requests for arbitrary host headers down an HTTP/2 connection authenticated with a wildcard certificate could be highly problematic in some cases, even if the certificate matches. At a minimum, I'd strongly hope/encourage clients to only share connections if both hostnames DNS resolve to overlapping IP addresses. Otherwise you might end up talking to a server that wasn't even fully configured for accepting traffic for a given hostname or otherwise causing major problems for DNS-based load balancers. One aspect that could also be better specified is what clients can/should use for caching a 421 response. For example, most of {IP, Port, SNI-Sent, Authority, ALPN-Negotiated} should be used in the key for any caching of a 421 response. On Wed, May 27, 2015 at 12:33 PM, Martin Thomson <martin.thomson@gmail.com> > wrote: > > On 27 May 2015 at 06:03, Stefan Eissing <stefan.eissing@greenbytes.de> > wrote: > > However, for several reasons, the server might wish to answer such > requests with a 421. With the expectation that the client opens/reuses > another connection, using the relevant authority in the SNI on that > connection. Do client implementors/spec wizard agree that this is a > reasonable expectation? > > That is correct. 421 is specifically intended for this case and others > like it. > It does seem likely that a conservative behavior for servers may be to return a 421 response for any authority Host that doesn't match the SNI name sent. I'd hope that clients would then renegotate a TLS connection to an IP address that the Host actually resolves to while sending an SNI of the Host they plan to use. I was discussing with Mark that it may make sense to have an HTTP/2 extension for a server to explicitly indicate which subset of the TLS certificate hostnames are acceptable to use over a given connection so that a client doesn't have to try guessing. It may also make sense for us to work on an Informational draft (or h2 wiki page initially?) with operational guidance on connection sharing. Erik
Received on Friday, 29 May 2015 21:03:05 UTC