> > As you may see, RFC clearly states that valid certificate is an ADDITIONAL
> > condition. In other words, if existing connection CAN be reused for HTTP,
> > only then you should check for additional requirement - certificate should
> > be valid.
>
> So you're now arguing that if a browser would speak HTTP/2 over plain TCP you
> think it should reuse connections for this setup even when there's no certs
> involved?
>
No, I'm 100% sure the browser MUST NOT reuse connection to IP_ADDR_2 while
speaking to host_2.domain.com, if host_2.domain.com doesn't have A or AAAA
record matching IP_ADDR_2. Regardless of HTTP or HTTPS being used.
> I think we're mostly moving in circles.
Yep, looks like we are.
> I've not seen you explain how this causes actual real-life problems (in a
> scenario where you don't install a malicious party's CA cert yourself). Can
> you
> help me understand?
Real life example.
Corporate intranet. Intranet sites are accessible via TLS encrypted
connections, all of them are sharing wildcard certificate, something like
*.intranet.company.com
The certificate is not malicious, this is legitimate certificate.
Host_1.intranet.domain.com have 2 mirrors - one on the server with IP_1 _v4
and IP_2_v6
2nd mirror is on another server, which has only v4 address : IP_3_v4
Host_2.intranet.domain.com is a smaller web site, which is hosted only on one
single IP_3_v4.
What happens is that users are unable to access host_2.intranet.domain.com
using FireFox because FF always trying to re-use connection to IP_2_v6.
We are arguing about RFC interpretation. I can see several places in the RFC
proving your implementation is wrong :
Section 9.1
Clients SHOULD NOT open more than one HTTP/2 connection to a given
host and port pair, where the host is derived from a URI, a selected
alternative service [ALT-SVC], or a configured proxy.
Let's look at the URI https://host_2.intranet.company.com/ . The only
possible host and port pair that can derive from that URI is IP_3_v4:443 .
Therefore the browser must open a new connection and not try to reuse old one
to IP_2_v6.
Section 9.1.1
As I said before, valid certificate is an ADDITIONAL condition (which is
clearly stated in RFC) for HTTPS connections. I.e. certificate should be
considered only if all the rest of conditions are met and authority of the
server is established.
I.e. presence of wildcard certificate can't be a REASON why connection is
reused. It's just an additional condition to determine if connection can be
reused or not.
_______________________________________________
dev-tech-network mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-network
