Topic: http2 and client certificate

[timo]

I use client certificate to access my server, and optionally username/password.
Client certicate is used when I access the server from my own laptop, and username/password if I'm on such a computer that hasn't my certificate installed.

With http2 disabled this works just fine.

If I enable http2, the client certificate is not accepted, the server always asks for username/password.

Nothing related to this on Apache logs, so I don't actually know if the certificate is rejected or bypassed or something else.

Any clue what might be causing this?

Apache 2.4.23 x64, Windows 10 Pro

[icing]

There are currently some limitations when it comes to HTTP/2 and TLS with client ceritifactes. The HTTP standard guys are working on a protocol extension for this, but it will be some time before this gets deployed in servers and browsers.

The problem that you see is that often client certificates are used not everywhere on the server, but in certain locations.

That means the TLS connection is set up, you make a request for a resource that is protected by client certs and this triggers a TLS renegotiation. Server asks for a cert, client provides one and the request gets processed. That is how it works in HTTP/1.1

In HTTP/2, there can be several requests in parallel on the same TLS connection. And that is why renegotiations are forbidden in HTTP/2. Because renegotiations can step on each others toes, so to speak.

Instead, and this is what mod_h2 does, a request which would trigger renegotiation is denied with the special HTTP/2 error code HTTP_1_1_REQUIRED. This should tell the client to remake the request using only HTTP/1.1. However this is not implemented by everyone, it seems.

Hope this explains the situation a bit.

[timo]

Ok, I understand the problem now.

I'll keep HTTP/2 disabled until this is solved.