Adobotalk.com youtube.com ronaldmasayarm On Aug 31, 2015 5:48 PM, "Stefan Eissing" <stefan.eiss...@greenbytes.de> wrote:
> > > Am 28.08.2015 um 15:49 schrieb Eric Covener <cove...@gmail.com>: > > > > On Fri, Aug 28, 2015 at 9:26 AM, Stefan Eissing > > <stefan.eiss...@greenbytes.de> wrote: > >> If this works, one could think about introducing some kind of > "equivalence number" to speed up the checking, since in certain HTTP/2 > setups there might be a good percentage of requests requiting this > verification. > > > > Long term we need to block these name-based renegotiations because > > we'll be at TLS1.3. I don't know how to ween people off, but making > > up an H2 requirement might be one way to ease people into it. > > I am not the expert on TLS renegotiation, I am just aware that certain TLS > parameters can be changed on an existing connection if both parties agree. > And I am aware that this has been used in attacks and the feature seems to > be frowned upon nowadays. > > I see mod_ssl code that checks for renegotiations based on directory > configurations, so it is request based. And it will fail miserably in > HTTP/2 connections as there is no longer *the one current* request on a > connection. > > What would be the most common scenarios for TLS renegotiation be that we > should users warn about when enabling HTTP/2? Is requiting a client cert a > common use here? > > //Stefan > > <green/>bytes GmbH > Hafenweg 16, 48155 Münster, Germany > Phone: +49 251 2807760. Amtsgericht Münster: HRB5782 > > > >
