> On Oct 21, 2015, at 10:25 AM, Graham Leggett <minf...@sharp.fm> wrote: > > On 21 Oct 2015, at 2:42 PM, Stefan Eissing <stefan.eiss...@greenbytes.de> > wrote: > >> The basic changes: >> 1. conn_rec->master is NULL for HTTP/1.1 connections, but points to the >> "real" connection for HTTP/2 requests. >> 2. mod_ssl no longer initalizes any SSLConnRec* for slave connections >> (conn_rec->master != NULL) >> 3. lookup of ssl variables uses the master's sslconn->ssl if none is found >> on the connection itself >> 4. ssl_hook_Access() that checks renegotiation fails with a FORBIDDEN for a >> slave connection with a note for the reason. >> This should allow mod_http2 to generate the correct HTTP/2 stream error >> 5. ssl_hook_ReadReq() that checks for wrong host names now has an additional >> check for TLS compatiblity which compares >> protocol, cipher suite, certificate and key file/path names and verify mode >> of the request server against the >> handshake server. This compatibility is strict equality and not as >> sophisticated as the renegotiation checks. >> >> With these changes, mod_http2 has less work for the slave connection setup >> and no longer needs to disable ssl for those. While mod_ssl continues to be >> ignorant of mod_http2, as the same restrictions would apply to any protocol >> with slave connections. With a minor bump in MMN we can have this in the >> next 2.4. > > Not having looked at the patch yet, the above seems to make sense. >
Sorry for the lateness: +1