Re: TLS ALPN Proposal v3

On Wed, Jul 22, 2015 at 10:46 AM, Stefan Eissing <> wrote:

> You assume that a client talks to a server and that these two determine
> the security of the connection at connection setup.
But does it also imply that CDNs may only talk h2 to clients if the backend
> connection they might possibly need is also h2 with all security
> requirements followed? And if the backend connection needs to be
> setup/reopened and fails some requirements, must all client connections be
> dropped?
unless I am seriously misunderstanding the state of the art (or your
comment) the CDN presents itself as the origin (e.g. it has a TLS cert
valid for the origin). Whether it satisfies a request locally, via gateway
as some version of HTTP, or through gatewaying ftfp is immaterial to the
communication with the client. The CDN-based-origin could speak h2 to the
client in all those scenarios but it would have to do so over tls 1.2 and
with a cipher suite acceptable to rfc 7540.

> , I think this is not some esoteric gedankenmodell, but a real world
> scenario.

I don't know what that means (beyond the obvious guess), but I like the way
it sounds in my head :)

Received on Wednesday, 22 July 2015 09:06:47 UTC