Opened 2 years ago

Last modified 2 years ago

#281 new enhancement

Add SPDY support

Reported by: andersk Owned by:
Priority: minor Milestone:
Component: web Keywords:
Cc:

Description

In our infinite free time, we should play with mod_spdy which Google just released.

(davidben isn’t sure if it will work with client certificates, though.)

Change History (3)

comment:1 Changed 2 years ago by davidben

Client auth: The nuisance is that SPDY may multiplex multiple streams from even different origins over the same connection, so you don't always get a handshake per host. And, of course, the awful renegotiate hack breaks when you don't know what stream your CertificateRequest? associated with. So SPDY has a CREDENTIALS1 control frame for adding new certificates to a slot (with a slot specified in SYN_STREAM). Given mod_spdy has issues with even SSLRequireSSL2 right now, I suspect they don't have whatever glue is necessary to make this seamlessly. It's also possible this spec is newer than the current implementation in Firefox and Chrome and they'll just disable pooling for connections with client certs for now or something

Insert usual rant about how TLS client auth is broken and at completely the wrong layer.

1 http://willchan.github.com/SPDY-Specification/draft-mbelshe-spdy-00.html#CREDENTIAL

2 https://code.google.com/p/mod-spdy/issues/detail?id=31

comment:2 Changed 2 years ago by davidben

One possible deployment option is to eventually drop support for client auth on port 443 (assuming you guys are fine with that), leaving port 444 as vanilla HTTPS with client auth. I've verified from source-diving that Chrome doesn't do anything stupid like coalesce connections to the same IP but different ports. Even with this CREDENTIALS frame, I suspect the only SPDY+client-auth configuration that'll ever be tested much is TLS-OBC. (In fact, if they weren't working on TLS-OBC, I doubt Google would have bothered adding that frame. Looks like it was only added a few months ago anyway.) This also gives you a way to deploy TLS-OBC if that ever takes off, since it and client auth are mutually exclusive.

TLS-OBC: http://www.browserauth.net/

Mozilla's bug for client auth + SPDY: https://bugzilla.mozilla.org/show_bug.cgi?id=698230

When they added the frame: https://groups.google.com/forum/#!topic/spdy-dev/mF12FOiudVs/discussion

comment:3 Changed 2 years ago by davidben

It's also possible this spec is newer than the current implementation in Firefox and Chrome and they'll just disable pooling for connections with client certs for now or something.

In fact, the CREDENTIALS from was added in spdy/3 and currently implementations are still spdy/2. Although Chrome is starting to put X% of users on some release channel on spdy/3, so I imagine server support on Google's end exists now and client support in Chrome is coming. I only see evidence of spdy/2 in Firefox for now. mod_spdy is also only spdy/2.

Note: See TracTickets for help on using tickets.