Re: SNI requirement for H2

Greg Wilkins <> Sun, 05 April 2015 08:24 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 72F4F1A90EA for <>; Sun, 5 Apr 2015 01:24:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.289
X-Spam-Status: No, score=-6.289 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id UvAyT0uQxhaN for <>; Sun, 5 Apr 2015 01:24:54 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DF0AF1A90DD for <>; Sun, 5 Apr 2015 01:24:53 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1Yefog-0001bO-Ae for; Sun, 05 Apr 2015 08:22:02 +0000
Resent-Date: Sun, 05 Apr 2015 08:22:02 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtp (Exim 4.80) (envelope-from <>) id 1Yefoc-0001ad-D5 for; Sun, 05 Apr 2015 08:21:58 +0000
Received: from ([]) by with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <>) id 1YefoZ-0004iV-E4 for; Sun, 05 Apr 2015 08:21:57 +0000
Received: by lbbzk7 with SMTP id zk7so4102533lbb.0 for <>; Sun, 05 Apr 2015 01:21:28 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=N8f5K8PyynBAGo0nrjCAin+ROYmoPq8FuSINvvuai9A=; b=O38dYV9NSpNqm7Msl1pAb+H+XxbOfWeY/fVi8KFf6Lm/adEz+6fbq3YWw1bRQlIXJB QhwQX5i2aErmQ2nRWFLs9pN5uzzp0qFPv3Akb4+R1PshDhLieuFOIg9oS9vUuu7baNGK OMaE4a7N0oYXBwpXDTX5q6HbV5hAoEcT5hlAW/L/JuAYKtutUXxY44atOm0wV1fyJw+7 UebU3C7RICJq+tKVIfWGtfE0jYakRNfI0QpeANGomm3cv64uawkLczoHyMuOys/XMcla X/1Pmis0h88OtcwmUj/gc1OxxJlODyle94MkLgsTrfHsoJ4nblrPMJ3X/68hnnKtOJ2+ rzxQ==
X-Gm-Message-State: ALoCoQmZ72u25y7A7RVeWCxWXqTK44PvLmilI/E5xyrVs4dXyBfBEJqhMG+5x/ORLcqGpe4O9E3P
MIME-Version: 1.0
X-Received: by with SMTP id jh4mr8722282lbc.49.1428222087967; Sun, 05 Apr 2015 01:21:27 -0700 (PDT)
Received: by with HTTP; Sun, 5 Apr 2015 01:21:27 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Sun, 05 Apr 2015 18:21:27 +1000
Message-ID: <>
From: Greg Wilkins <>
To: Nicholas Hurley <>
Cc: HTTP Working Group <>
Content-Type: multipart/alternative; boundary="001a11c3437a36d0aa0512f5dee2"
Received-SPF: permerror client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: AWL=-1.925, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: 1YefoZ-0004iV-E4 aab09d78ef59618345f58e8771627ba3
Subject: Re: SNI requirement for H2
Archived-At: <>
X-Mailing-List: <> archive/latest/29261
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

On 4 April 2015 at 05:37, Nicholas Hurley <> wrote:

> while h2 requires SNI

My reading of the spec is that h2 requires SNI to be supported, but I can't
see where it says that a server must reject a connection that does not
provide SNI?

We've only just implemented our SNI support in jetty and we certainly have
not tied it to h2 in anyway.   If your key store has multiple certificates,
then a provided SNI will be used to select which certificate to use and if
there are none matching the connection is refused.

This is entirely separate from our ALPN negotiation and I don't see where
the spec requires us to tie them together (actually with the java 8 impl of
SNI is was hard enough to tie the SNI name acceptance to the certificate

So hopefully the clarification is just saying that required to support is
not the same as required to use.


Greg Wilkins <>  @  Webtide - *an Intalio subsidiary* HTTP, SPDY, Websocket server and client that scales  advice and support for jetty and cometd.