logo
Apache Lounge
Webmasters

 


About

Forum Index Downloads Search Register Log in  RSS Apache Lounge
 


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Apache Lounge is not sponsored.

Your donations will help to keep this site alive and well, and continuing building binaries.



http2 and client certificate

 
Post new topic   Reply to topic    Apache Forum Index -> Apache



View previous topic :: View next topic  
Author Message
timo



Joined: 03 Jun 2012
Posts: 33
Location: FI, EU

PostPosted: Mon 11 Jul '16 14:18    Post subject: http2 and client certificate Reply with quote

I use client certificate to access my server, and optionally username/password.
Client certicate is used when I access the server from my own laptop, and username/password if I'm on such a computer that hasn't my certificate installed.

With http2 disabled this works just fine.

If I enable http2, the client certificate is not accepted, the server always asks for username/password.

Nothing related to this on Apache logs, so I don't actually know if the certificate is rejected or bypassed or something else.

Any clue what might be causing this?

Apache 2.4.23 x64, Windows 10 Pro
Back to top
icing



Joined: 22 Sep 2015
Posts: 38
Location: M√ľnster, Germany

PostPosted: Mon 11 Jul '16 14:37    Post subject: Reply with quote

There are currently some limitations when it comes to HTTP/2 and TLS with client ceritifactes. The HTTP standard guys are working on a protocol extension for this, but it will be some time before this gets deployed in servers and browsers.

The problem that you see is that often client certificates are used not everywhere on the server, but in certain locations.

That means the TLS connection is set up, you make a request for a resource that is protected by client certs and this triggers a TLS renegotiation. Server asks for a cert, client provides one and the request gets processed. That is how it works in HTTP/1.1

In HTTP/2, there can be several requests in parallel on the same TLS connection. And that is why renegotiations are forbidden in HTTP/2. Because renegotiations can step on each others toes, so to speak.

Instead, and this is what mod_h2 does, a request which would trigger renegotiation is denied with the special HTTP/2 error code HTTP_1_1_REQUIRED. This should tell the client to remake the request using only HTTP/1.1. However this is not implemented by everyone, it seems.

Hope this explains the situation a bit.
Back to top
timo



Joined: 03 Jun 2012
Posts: 33
Location: FI, EU

PostPosted: Mon 11 Jul '16 14:52    Post subject: Reply with quote

Ok, I understand the problem now.

I'll keep HTTP/2 disabled until this is solved.
Back to top


Post new topic   Reply to topic    Apache Forum Index -> Apache
Page 1 of 1