| Summary: | HTTP/2 & Certificate path can lead to 421 | ||
|---|---|---|---|
| Product: | Apache httpd-2 | Reporter: | Romain Lapoux <manus> |
| Component: | mod_http2 | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
| Status: | NEW --- | ||
| Severity: | normal | CC: | huenig |
| Priority: | P2 | ||
| Version: | 2.4.25 | ||
| Target Milestone: | --- | ||
| Hardware: | PC | ||
| OS: | All | ||
|
Description
Romain Lapoux
2017-04-11 09:54:53 UTC
Are there any plans for this? This would help us as well. Also got hit by this. The most likely culprit is ssl_pk_server_compatible() in modules/ssl/ssl_engine_kernel.c - it checks for compatibility between vhosts by comparing certificate file name instead of certificate itself. That leads to a situation where browser correctly decides (based on information available to it, namely subject alternative names) that it can reuse existing connection, but Apache disagrees and returns error 421. (Some browsers try again as allowed by rfc7540 9.1.2, but some don't and show the error to the user.) Comment 2 looks right. It should be possible to enhance mod_ssl to do that, but it would be complicated, you'd have to iterate through the configured certs for the second context and compare with the currently used cert. And this is a critical path which has numerous security issues in the past. So, nobody is planning to touch it, and it's pretty trivial to adjust your configurations to avoid the issue in the first place. The issue is more, that you need to know that that configuration will create an issue. As most browsers like Firefox and chrome work on the surface (you see the 421 in network tab) the website won't work at all with error-prone browsers like safari. Another solution would be to see this as an invalid configuration and fail on configcheck here. |