Hi Stefan, On Wed, Oct 21, 2015 at 2:42 PM, Stefan Eissing <stefan.eiss...@greenbytes.de> wrote: > Played around with the concept of master connections today. > > I attached a patch that - I think - goes in the right direction.
Didn't look at all the details yet but it looks good to me. One (aside) point, you should probably separate h2 changes from mod_ssl ones. The former are CTR, but we'll still need a vote for the latter... I think it also concers a couple of commits you did lately, even though changes to both modules are related, it will probably ease backport to commit them separetly. > > The basic changes: [] > 5. ssl_hook_ReadReq() that checks for wrong host names now has an additional > check for TLS compatiblity which compares > protocol, cipher suite, certificate and key file/path names and verify > mode of the request server against the > handshake server. This compatibility is strict equality and not as > sophisticated as the renegotiation checks. Thanks, we needed that! It seems however that there are doublons with the checks done in ssl_hook_Access(). I'm not sure whether this can be expensive, but maybe we could do that at one single place? Also the check on the cipher suite looks more tolerent there, it may be enough to check that the negociated cipher is in the new vhost's list. Didn't look at the other points, yet ;) Regards, Yann.
