logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: http2 and client certificate
Author
timo



Joined: 03 Jun 2012
Posts: 45
Location: FI, EU

PostPosted: Mon 11 Jul '16 14:18    Post subject: http2 and client certificate Reply with quote

I use client certificate to access my server, and optionally username/password.
Client certicate is used when I access the server from my own laptop, and username/password if I'm on such a computer that hasn't my certificate installed.

With http2 disabled this works just fine.

If I enable http2, the client certificate is not accepted, the server always asks for username/password.

Nothing related to this on Apache logs, so I don't actually know if the certificate is rejected or bypassed or something else.

Any clue what might be causing this?

Apache 2.4.23 x64, Windows 10 Pro
Back to top
icing



Joined: 22 Sep 2015
Posts: 41
Location: Münster, Germany

PostPosted: Mon 11 Jul '16 14:37    Post subject: Reply with quote

There are currently some limitations when it comes to HTTP/2 and TLS with client ceritifactes. The HTTP standard guys are working on a protocol extension for this, but it will be some time before this gets deployed in servers and browsers.

The problem that you see is that often client certificates are used not everywhere on the server, but in certain locations.

That means the TLS connection is set up, you make a request for a resource that is protected by client certs and this triggers a TLS renegotiation. Server asks for a cert, client provides one and the request gets processed. That is how it works in HTTP/1.1

In HTTP/2, there can be several requests in parallel on the same TLS connection. And that is why renegotiations are forbidden in HTTP/2. Because renegotiations can step on each others toes, so to speak.

Instead, and this is what mod_h2 does, a request which would trigger renegotiation is denied with the special HTTP/2 error code HTTP_1_1_REQUIRED. This should tell the client to remake the request using only HTTP/1.1. However this is not implemented by everyone, it seems.

Hope this explains the situation a bit.
Back to top
timo



Joined: 03 Jun 2012
Posts: 45
Location: FI, EU

PostPosted: Mon 11 Jul '16 14:52    Post subject: Reply with quote

Ok, I understand the problem now.

I'll keep HTTP/2 disabled until this is solved.
Back to top


Reply to topic   Topic: http2 and client certificate View previous topic :: View next topic
Post new topic   Forum Index -> Apache