Resent-Date: Fri, 03 Apr 2015 19:07:07 +0000
Resent-Message-Id: <E1Ye6vr-0006jQ-Bj@frink.w3.org>
MIME-Version: 1.0
In-Reply-To: <CAGxKgz2-5OSwPGs=S_EVwPv-dYvPSO-H4YCiXX5wt-CxTxMVpg@mail.gmail.com>
References: <CAGxKgz2-5OSwPGs=S_EVwPv-dYvPSO-H4YCiXX5wt-CxTxMVpg@mail.gmail.com>
Date: Fri, 3 Apr 2015 12:06:36 -0700
Message-ID: <CAP+FsNcGAJjRXpQPKOs9rLk-5=JYjj24=DxNHCAv+Mib5v+2GA@mail.gmail.com>
From: Roberto Peon <grmocg@gmail.com>
To: Nicholas Hurley <hurley@mozilla.com>
Cc: HTTP Working Group <ietf-http-wg@w3.org>
Content-Type: multipart/alternative; boundary=001a11c20fb8c08a680512d6a559
Received-SPF: pass client-ip=209.85.214.169; envelope-from=grmocg@gmail.com;
 helo=mail-ob0-f169.google.com
Subject: Re: SNI requirement for H2
Archived-At: <http://www.w3.org/mid/CAP+FsNcGAJjRXpQPKOs9rLk-5=JYjj24=DxNHCAv+Mib5v+2GA@mail.gmail.com>
Resent-From: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list

--001a11c20fb8c08a680512d6a559
Content-Type: text/plain; charset=UTF-8

Does anyone recall why 6066 has no SNI for IP literals? (It could be an
empty SNI field or the SNI could indicate the IP literal)?
-=R

On Fri, Apr 3, 2015 at 11:37 AM, Nicholas Hurley <hurley@mozilla.com> wrote:

> All,
>
> While looking at https://github.com/molnarg/node-http2/issues/69 I came
> to the realization that it appears we have (unintentionally) made it
> impossible to speak h2 when connecting directly to an IP address (as in, IP
> address typed into URL bar as opposed to hostname typed into URL bar) and
> remain compliant with both the h2 spec and RFC 6066. 6066 specifies that
> SNI is not to be sent for an IP literal, while h2 requires SNI. You can see
> the conflict.
>
> In node-http2, we have decided to relax the SNI requirement, and still
> speak h2 to clients that don't give us any SNI, under the assumption that
> this (IP in URL bar, or equivalent) is the case we are hitting. I had also
> filed a bug against Firefox to stop advertising h2 in the cases where we
> won't send SNI, but am rethinking that idea, as it was pointed out (rightly
> so) that a lot of test servers never have a hostname associated with them,
> and not being able to talk h2 to test servers seems like a Bad Idea :)
>
> FWIW, I checked Safari, Chrome, IE (11 on Windows 7), and Firefox. Both
> Safari and Chrome send SNI regardless of IP or hostname, so they will not
> run into this problem. IE and Firefox both send SNI only for hostnames (at
> least in the configurations I tested), so they will hit this problem.
> (Obvious caveat: non-Firefox browsers may have changed their behavior in
> later versions than I have access to, so of course my testing may not hold
> true in the future.)
>
> I talked briefly to Martin offline, and he says we may be able to get a
> clarification on this point in during AUTH48 to (my words, now, not his)
> perhaps relax this restriction, or at least make it clear that you probably
> don't need to require SNI in a testing situation, in order to avoid this
> problem.
>
> Thoughts?
>

--001a11c20fb8c08a680512d6a559
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">Does anyone recall why 6066 has no SNI for IP literals? (I=
t could be an empty SNI field or the SNI could indicate the IP literal)?<di=
v>-=3DR</div></div><div class=3D"gmail_extra"><br><div class=3D"gmail_quote=
">On Fri, Apr 3, 2015 at 11:37 AM, Nicholas Hurley <span dir=3D"ltr">&lt;<a=
 href=3D"mailto:hurley@mozilla.com" target=3D"_blank">hurley@mozilla.com</a=
>&gt;</span> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 =
0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div=
><div><div><div><div>All,<br><br></div>While looking at <a href=3D"https://=
github.com/molnarg/node-http2/issues/69" target=3D"_blank">https://github.c=
om/molnarg/node-http2/issues/69</a> I came to the realization that it appea=
rs we have (unintentionally) made it impossible to speak h2 when connecting=
 directly to an IP address (as in, IP address typed into URL bar as opposed=
 to hostname typed into URL bar) and remain compliant with both the h2 spec=
 and RFC 6066. 6066 specifies that SNI is not to be sent for an IP literal,=
 while h2 requires SNI. You can see the conflict.<br><br></div>In node-http=
2, we have decided to relax the SNI requirement, and still speak h2 to clie=
nts that don&#39;t give us any SNI, under the assumption that this (IP in U=
RL bar, or equivalent) is the case we are hitting. I had also filed a bug a=
gainst Firefox to stop advertising h2 in the cases where we won&#39;t send =
SNI, but am rethinking that idea, as it was pointed out (rightly so) that a=
 lot of test servers never have a hostname associated with them, and not be=
ing able to talk h2 to test servers seems like a Bad Idea :)<br><br></div>F=
WIW, I checked Safari, Chrome, IE (11 on Windows 7), and Firefox. Both Safa=
ri and Chrome send SNI regardless of IP or hostname, so they will not run i=
nto this problem. IE and Firefox both send SNI only for hostnames (at least=
 in the configurations I tested), so they will hit this problem. (Obvious c=
aveat: non-Firefox browsers may have changed their behavior in later versio=
ns than I have access to, so of course my testing may not hold true in the =
future.)<br><br></div>I talked briefly to Martin offline, and he says we ma=
y be able to get a clarification on this point in during AUTH48 to (my word=
s, now, not his) perhaps relax this restriction, or at least make it clear =
that you probably don&#39;t need to require SNI in a testing situation, in =
order to avoid this problem.<br><br></div>Thoughts?<br></div>
</blockquote></div><br></div>

--001a11c20fb8c08a680512d6a559--