SNI requirement for H2

Nicholas Hurley <hurley@mozilla.com> Fri, 03 April 2015 18:42 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBD021ACF18 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Apr 2015 11:42:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.289
X-Spam-Level:
X-Spam-Status: No, score=-6.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4ROKRAXRTJMz for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Fri, 3 Apr 2015 11:42:21 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 282631ACF17 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Fri, 3 Apr 2015 11:42:21 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1Ye6Tq-0006Ob-1Y for ietf-http-wg-dist@listhub.w3.org; Fri, 03 Apr 2015 18:38:10 +0000
Resent-Date: Fri, 03 Apr 2015 18:38:10 +0000
Resent-Message-Id: <E1Ye6Tq-0006Ob-1Y@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtp (Exim 4.80) (envelope-from <hurley@mozilla.com>) id 1Ye6Tl-0006Nu-T5 for ietf-http-wg@listhub.w3.org; Fri, 03 Apr 2015 18:38:05 +0000
Received: from mail-ob0-f172.google.com ([209.85.214.172]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <hurley@mozilla.com>) id 1Ye6Tk-0005jg-Md for ietf-http-wg@w3.org; Fri, 03 Apr 2015 18:38:05 +0000
Received: by obvd1 with SMTP id d1so181238968obv.0 for <ietf-http-wg@w3.org>; Fri, 03 Apr 2015 11:37:38 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:date:message-id:subject:from:to :content-type; bh=g1a0syffn3EQ1ad6NZ7V4vY485UdLw3y6fc3bXjAi3Y=; b=D30bd+1kyeroYwASinyRJ0Y7kZEuAJI+nufShB5xshdBV+DFSBor8UdY9yN4vZ7eEp WP2+8cac5vK4XzDEuhHXX4MppnQu1RUA+Y5vSdR9MGDOtHx1rm7fNpp/dQNXiO/L1wmX srcc9sBhtinzd/ius7d5cj5aQN/ix+4toRkA9nt+7aScV685iRCFQhRrg7BFaSG9B1rA bh0n6r3tIfjTvajYAESpCkS95C126z3daaGHjxy+lV3UbCX/qyYRFzl+3+uK8KRgcYCn DYx8xMWt9Xi/u+jxnaY8w1ClM3y/N1vAPF8mK5TpJPL1xF8BxRCq6YcdAJmzJjUBIoCt NFiw==
X-Gm-Message-State: ALoCoQlm0iMmyy5WC46F5b+XPmlxiBBbX7P+NlH/NuclBjpPRv1n4ZJLWUpMkp4qqTcPB1Y6cRSl
MIME-Version: 1.0
X-Received: by 10.182.241.99 with SMTP id wh3mr4437478obc.81.1428086258492; Fri, 03 Apr 2015 11:37:38 -0700 (PDT)
Received: by 10.76.43.205 with HTTP; Fri, 3 Apr 2015 11:37:38 -0700 (PDT)
Date: Fri, 03 Apr 2015 11:37:38 -0700
Message-ID: <CAGxKgz2-5OSwPGs=S_EVwPv-dYvPSO-H4YCiXX5wt-CxTxMVpg@mail.gmail.com>
From: Nicholas Hurley <hurley@mozilla.com>
To: ietf-http-wg@w3.org
Content-Type: multipart/alternative; boundary="001a11c2ea342582a70512d63e92"
Received-SPF: pass client-ip=209.85.214.172; envelope-from=hurley@mozilla.com; helo=mail-ob0-f172.google.com
X-W3C-Hub-Spam-Status: No, score=-2.7
X-W3C-Hub-Spam-Report: HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1Ye6Tk-0005jg-Md 9f88d759abddd4a8393535fca837daaa
X-Original-To: ietf-http-wg@w3.org
Subject: SNI requirement for H2
Archived-At: <http://www.w3.org/mid/CAGxKgz2-5OSwPGs=S_EVwPv-dYvPSO-H4YCiXX5wt-CxTxMVpg@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/29237
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

All,

While looking at https://github.com/molnarg/node-http2/issues/69 I came to
the realization that it appears we have (unintentionally) made it
impossible to speak h2 when connecting directly to an IP address (as in, IP
address typed into URL bar as opposed to hostname typed into URL bar) and
remain compliant with both the h2 spec and RFC 6066. 6066 specifies that
SNI is not to be sent for an IP literal, while h2 requires SNI. You can see
the conflict.

In node-http2, we have decided to relax the SNI requirement, and still
speak h2 to clients that don't give us any SNI, under the assumption that
this (IP in URL bar, or equivalent) is the case we are hitting. I had also
filed a bug against Firefox to stop advertising h2 in the cases where we
won't send SNI, but am rethinking that idea, as it was pointed out (rightly
so) that a lot of test servers never have a hostname associated with them,
and not being able to talk h2 to test servers seems like a Bad Idea :)

FWIW, I checked Safari, Chrome, IE (11 on Windows 7), and Firefox. Both
Safari and Chrome send SNI regardless of IP or hostname, so they will not
run into this problem. IE and Firefox both send SNI only for hostnames (at
least in the configurations I tested), so they will hit this problem.
(Obvious caveat: non-Firefox browsers may have changed their behavior in
later versions than I have access to, so of course my testing may not hold
true in the future.)

I talked briefly to Martin offline, and he says we may be able to get a
clarification on this point in during AUTH48 to (my words, now, not his)
perhaps relax this restriction, or at least make it clear that you probably
don't need to require SNI in a testing situation, in order to avoid this
problem.

Thoughts?