Re: same connection, different hosts from Erik Nygren on 2015-05-29 (ietf-http-wg@w3.org from April to June 2015)

From: Erik Nygren <erik@nygren.org>
Date: Fri, 29 May 2015 17:02:38 -0400
To: Martin Thomson <martin.thomson@gmail.com>
Cc: Stefan Eissing <stefan.eissing@greenbytes.de>, HTTP Working Group <ietf-http-wg@w3.org>
Message-ID: <CAKC-DJjbBd-Wffa=pY111jGOSbMnZaZMx7eHLarcr-0076qi8A@mail.gmail.com>

I have some concerns that in moving from a SHOULD NOT to a MAY, client
behaviors on connection sharing may be underspecified in ways that make it
very hard for server operators to avoid degenerate situations.  Sending
requests for arbitrary host headers down an HTTP/2 connection authenticated
with a wildcard certificate could be highly problematic in some cases, even
if the certificate matches.  At a minimum, I'd strongly hope/encourage
clients to only share connections if both hostnames DNS resolve to
overlapping IP addresses.  Otherwise you might end up talking to a server
that wasn't even fully configured for accepting traffic for a given
hostname or otherwise causing major problems for DNS-based load balancers.

One aspect that could also be better specified is what clients can/should
use for caching a 421 response.
For example, most of {IP, Port, SNI-Sent, Authority, ALPN-Negotiated}
should be used in the key for any caching of a 421 response.

On Wed, May 27, 2015 at 12:33 PM, Martin Thomson <martin.thomson@gmail.com>
> wrote:
> > On 27 May 2015 at 06:03, Stefan Eissing <stefan.eissing@greenbytes.de>
> wrote:
> > However, for several reasons, the server might wish to answer such
> requests with a 421. With the expectation that the client opens/reuses
> another connection, using the relevant authority in the SNI on that
> connection. Do client implementors/spec wizard agree that this is a
> reasonable expectation?
> > That is correct.  421 is specifically intended for this case and others
> like it.
>

It does seem likely that a conservative behavior for servers may be to
return a 421 response
for any authority Host that doesn't  match the SNI name sent.  I'd hope
that clients would then renegotate a TLS connection
to an IP address that the Host actually resolves to while sending an SNI of
the Host they plan to use.

I was discussing with Mark that it may make sense to have an HTTP/2
extension
for a server to explicitly indicate which subset of the TLS certificate
hostnames are
acceptable to use over a given connection so that a client doesn't have to
try guessing.

It may also make sense for us to work on an Informational draft (or h2 wiki
page initially?) with operational
guidance on connection sharing.

        Erik

Received on Friday, 29 May 2015 21:03:05 UTC