Played around with the concept of master connections today. I attached a patch that - I think - goes in the right direction. But others know mod_ssl better than me. Feedback welcome!
The basic changes: 1. conn_rec->master is NULL for HTTP/1.1 connections, but points to the "real" connection for HTTP/2 requests. 2. mod_ssl no longer initalizes any SSLConnRec* for slave connections (conn_rec->master != NULL) 3. lookup of ssl variables uses the master's sslconn->ssl if none is found on the connection itself 4. ssl_hook_Access() that checks renegotiation fails with a FORBIDDEN for a slave connection with a note for the reason. This should allow mod_http2 to generate the correct HTTP/2 stream error 5. ssl_hook_ReadReq() that checks for wrong host names now has an additional check for TLS compatiblity which compares protocol, cipher suite, certificate and key file/path names and verify mode of the request server against the handshake server. This compatibility is strict equality and not as sophisticated as the renegotiation checks. With these changes, mod_http2 has less work for the slave connection setup and no longer needs to disable ssl for those. While mod_ssl continues to be ignorant of mod_http2, as the same restrictions would apply to any protocol with slave connections. With a minor bump in MMN we can have this in the next 2.4. //Stefan PS. There are more changes needed for mod_http2 as are in the patch. I did not want to make this too messy. The ssl changes are the relevant one...
ssl-master-conn.patch
Description: Binary data
