Changeset 0bed0a0 in mod_gnutls


Ignore:
Timestamp:
Nov 7, 2018, 12:55:41 PM (3 years ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
asyncio, debian/master, master, proxy-ticket
Children:
dcaba46
Parents:
a939015
Message:

Update documentation on ALPN and HTTP/2

Files:
2 edited

Legend:

Unmodified
Added
Removed

  • CHANGELOG

    ra939015 r0bed0a0  
    2020  mod_socache. Users may need to update their GnuTLSCache settings and
    2121  load the appropriate socache modules.
    22 - Known issue: ALPN (required for HTTP/2) works correctly only if all
    23   virtual hosts using mod_gnutls share the same Protocols setting,
    24   reported by Vincent Tamet.
     22- ALPN (required for HTTP/2) now works correctly with different
     23  "Protocols" directives between virtual hosts if building with GnuTLS
     24  3.6.3 or newer. Older versions require identical "Protocols"
     25  directives for overlapping virtual hosts. Thanks to Vincent Tamet
     26  for the bug report!
    2527- GnuTLSPriorities is optional now and defaults to "NORMAL" if
    2628  missing. The same applies to GnuTLSProxyPriorities (if TLS proxy is

  • doc/mod_gnutls_manual.mdwn

    ra939015 r0bed0a0  
    5151--------------
    5252
    53 HTTP/2 is supported with `mod_gnutls` but works correctly only if all
    54 virtual hosts using `mod_gnutls` share the same `Protocols`
    55 setting. This will be fixed in a future release, but will likely
    56 require GnuTLS 3.6 or later.
     53HTTP/2 is supported with `mod_gnutls`. However, full support requires
     54compiling with GnuTLS 3.6.3 or later. When using lower versions all
     55virtual hosts using `mod_gnutls` with overlapping IP/port combinations
     56need to use identical `Protocols` directives for protocol negotiation
     57to work correctly.
    5758
    5859The technical reason is that using HTTP/2 requires ALPN (Application
    5960Layer Protocol Negotiation) to be set up before GnuTLS parses the TLS
    6061ClientHello message, but earlier hooks cannot use
    61 `gnutls_server_name_get()` to retrieve SNI data for virtual host
    62 selection.
     62`gnutls_server_name_get()` to retrieve SNI (Server Name Indication)
     63data for virtual host selection. Because of this `mod_gnutls` provides
     64its own early SNI parser, which requires the `gnutls_ext_raw_parse()`
     65function introduced in GnuTLS 3.6.3 to retrieve the extension data in
     66a *pre* client hello hook.
    6367
    6468* * * * *
     
    739743-----------------------------------------
    740744
    741 `mod_gnutls` supports "Server Name Indication", as specified in [RFC
    742 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3). This
    743 allows hosting many TLS websites with a single IP address, you can
    744 just add the virtual host conigurations. All recent browsers support
     745`mod_gnutls` supports Server Name Indication (SNI), as specified in
     746[RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3).
     747This allows hosting many TLS websites with a single IP address, you
     748can just add virtual host configurations. All recent browsers support
    745749this standard. Here is an example using SNI:
    746750
     
    777781         GnuTLSCertificateFile conf/tls/site3.crt
    778782         GnuTLSKeyFile conf/tls/site3.key
     783         # Enable HTTP/2. With GnuTLS before version 3.6.3 all
     784         # virtual hosts in this example would have to share this
     785         # directive to work correctly.
     786         Protocols h2 http/1.1
    779787     </VirtualHost>
    780788
Note: See TracChangeset for help on using the changeset viewer.