Changeset 0bed0a0 in mod_gnutls for doc/mod_gnutls_manual.mdwn


Ignore:
Timestamp:
Nov 7, 2018, 12:55:41 PM (12 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
debian/master, master
Children:
dcaba46
Parents:
a939015
Message:

Update documentation on ALPN and HTTP/2

File:
1 edited

Legend:

Unmodified
Added
Removed
  • doc/mod_gnutls_manual.mdwn

    ra939015 r0bed0a0  
    5151--------------
    5252
    53 HTTP/2 is supported with `mod_gnutls` but works correctly only if all
    54 virtual hosts using `mod_gnutls` share the same `Protocols`
    55 setting. This will be fixed in a future release, but will likely
    56 require GnuTLS 3.6 or later.
     53HTTP/2 is supported with `mod_gnutls`. However, full support requires
     54compiling with GnuTLS 3.6.3 or later. When using lower versions all
     55virtual hosts using `mod_gnutls` with overlapping IP/port combinations
     56need to use identical `Protocols` directives for protocol negotiation
     57to work correctly.
    5758
    5859The technical reason is that using HTTP/2 requires ALPN (Application
    5960Layer Protocol Negotiation) to be set up before GnuTLS parses the TLS
    6061ClientHello message, but earlier hooks cannot use
    61 `gnutls_server_name_get()` to retrieve SNI data for virtual host
    62 selection.
     62`gnutls_server_name_get()` to retrieve SNI (Server Name Indication)
     63data for virtual host selection. Because of this `mod_gnutls` provides
     64its own early SNI parser, which requires the `gnutls_ext_raw_parse()`
     65function introduced in GnuTLS 3.6.3 to retrieve the extension data in
     66a *pre* client hello hook.
    6367
    6468* * * * *
     
    739743-----------------------------------------
    740744
    741 `mod_gnutls` supports "Server Name Indication", as specified in [RFC
    742 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3). This
    743 allows hosting many TLS websites with a single IP address, you can
    744 just add the virtual host conigurations. All recent browsers support
     745`mod_gnutls` supports Server Name Indication (SNI), as specified in
     746[RFC 6066, Section 3](https://tools.ietf.org/html/rfc6066#section-3).
     747This allows hosting many TLS websites with a single IP address, you
     748can just add virtual host configurations. All recent browsers support
    745749this standard. Here is an example using SNI:
    746750
     
    777781         GnuTLSCertificateFile conf/tls/site3.crt
    778782         GnuTLSKeyFile conf/tls/site3.key
     783         # Enable HTTP/2. With GnuTLS before version 3.6.3 all
     784         # virtual hosts in this example would have to share this
     785         # directive to work correctly.
     786         Protocols h2 http/1.1
    779787     </VirtualHost>
    780788
Note: See TracChangeset for help on using the changeset viewer.