Bug 56028 - Add http/1.0, http/1.1 NPN advertisement to enable TLS False Start
Summary: Add http/1.0, http/1.1 NPN advertisement to enable TLS False Start
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement with 6 votes (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2014-01-17 19:17 UTC by Ilya Grigorik
Modified: 2015-01-27 10:54 UTC (History)
3 users (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Ilya Grigorik 2014-01-17 19:17:05 UTC
TLS False Start [1] helps eliminate full RTT from the TLS handshake. All the modern browsers support it, but Chrome / FF run an NPN and forward secrecy check before enabling it [2,3].

Apache landed NPN in 552210 [4], but it does not advertise either "http/1.0" or "http/1.1" by default, which means that False Start can't be used. mod_spdy patches this in by default [5], but obviously it would be nice to not require mod_spdy to enable False Start! Finally, for an example of False Start in action (albeit on nginx), see: http://www.igvita.com/2013/12/16/optimizing-nginx-tls-time-to-first-byte/

Long story short: Apache should advertise ["http/1.0", "http/1.1"] on all TLS connections.

[1] http://tools.ietf.org/html/draft-bmoeller-tls-falsestart-00
[2] https://www.imperialviolet.org/2012/04/11/falsestart.html
[3] http://src.chromium.org/viewvc/chrome/trunk/src/net/third_party/nss/ssl/sslsecur.c?revision=235907#l379
[4] https://issues.apache.org/bugzilla/show_bug.cgi?id=52210
[5] https://code.google.com/p/mod-spdy/source/browse/trunk/src/mod_spdy/mod_spdy.cc#508
Comment 1 Stefan Eissing 2015-01-27 09:32:39 UTC

I updated my proposed patch for https://issues.apache.org/bugzilla/show_bug.cgi?id=52210 to always announce http/1.1 over NPN and ALPN. Maybe you want to have a look at it.

Announcing "http/1.0" as protocol over TLS sounds like a waste of bytes. I have not heard of any client with NPN/ALPN capabilities that wants to do HTTP/1.0. Do you encounter those in real life?

Cheers, Stefan