Re: http/1 opportunistic encryption

On 20/07/2015 8:35 p.m., Stefan Eissing wrote:
>> Am 20.07.2015 um 10:06 schrieb Erik Nygren:
>> This is helpful.  Since it sounds like both IIS/http.sys and Apache have http/2
>> implementations that effectively ignore :scheme by default and return https-scheme
>> content when receiving :scheme=http over h2+TLS, I wouldn't be surprised
>> if many other implementations ended up in the same boat.  I'm aware of one
>> other implementation that started off doing this as well.
> Well, as the one implementing http/2 in Apache, let me say that we do not "end" in
> this boat. We "start" in this boat because requirements and concepts of OE are new
> in http server configs. If existing servers treat port <=> scheme that seems
> a reasonable assumption *pre* OE.

The algorthm in RFC 7230 section 5.5 explicitly starts off with the clause:
   If the request-target is in absolute-form, the effective request URI
   is the same as the request-target.

The association of port<=>scheme is only placed later in the algorithm,
with clear guideline on what details have to be missing for it to be

For consistency, if nothing else, the same algorithm should be used for
HTTP/2 message interpretation. Only...

In HTTP/2 the :scheme pseudo-header and others needed to form
absolute-URI are mandatory. Which makes it always have a well-formed
request-target. That was intentionally done to avoid exactly this bug
from occuring. It saddens me greatly to hear that servers are ignoring
it already on grounds of that being how they treat HTTP/1.


Received on Monday, 20 July 2015 09:28:47 UTC