Welcome! Log In Create A New Profile

Advanced

Re: 1.3.11 Issues?

Valentin V. Bartenev
January 14, 2013 10:18PM
On Tuesday 15 January 2013 05:55:43 digitalpoint wrote:
> Well... the underlying errors went away, but it seems the new SPDY patch
> broke being able to handle multiple hosts on the same SPDY connection now
> (it worked under 1.3.10 just fine).
>
> For example, we have a SSL cert for both digitalpoint.com and dpstatic.com
> (dpstatic.com is a cookieless domain for serving static content), so SPDY
> attempts to use the same connection for multiple hosts. See SPDY session
> list here:
> http://f.cl.ly/items/0T1u3g0h0e1A0D1g2N0s/Image%202013.01.08%2011:59:48%20A
> M.png
>
> With the SPDY patch for 1.3.11, now requests to *.dpstatic.com are
> *actually* being sent to digitalpoint.com (and getting a file not found).
> So somehow during a SPDY connection, the host for an individual request is
> being ignored somewhere along the way.
>
> Top browser is Chrome (SPDY connection), bottom browser is Safari (no SPDY
> support)... the end result is a SPDY connection will yield different
> results vs the "traditional" SSL connection:
> http://f.cl.ly/items/3K1Q2N1I3B000c0b0614/Image%202013.01.14%205:52:31%20PM
> .png
>
> Again, this worked as expected (ability for SPDY to properly share a
> connection across multiple hosts) with 1.3.10.
>

There is no difference between 1.3.10 and 1.3.11 in terms of SPDY.
In fact, 1.3.10 has serious bugs (see: http://nginx.org/en/CHANGES),
and you should use 1.3.11 instead.

The big difference is between spdy54 and spdy55+ patches. A large part of
SPDY implementation was rewritten in spdy55, and also some relevant parts
of nginx got new code.

One of those changes makes nginx more RFC 6066 compliant. Here is some quotes:

3. Server Name Indication

[...]

If an application negotiates a server name using an application
protocol and then upgrades to TLS, and if a server_name extension is
sent, then the extension SHOULD contain the same name that was
negotiated in the application protocol. If the server_name is
established in the TLS session handshake, the client SHOULD NOT
attempt to request a different server name at the application layer.

11.1. Security Considerations for server_name

[...]

Since it is possible for a client to present a different server_name
in the application protocol, application server implementations that
rely upon these names being the same MUST check to make sure the
client did not present a different name in the application protocol.

from http://tools.ietf.org/html/rfc6066

And you will not find in SPDY draft.2 specification any information about
the "ability for SPDY to properly share a connection across multiple hosts":
http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft2

Apparently by making TLS SNI in nginx more RFC-compliant I unintentionally
broke SPDY.

Well, it's safe to use spdy54 with 1.3.11:
http://nginx.org/patches/spdy/patch.spdy-54.txt
and I recommend you to use it while I will think about a solution.

Thanks again for testing. I hope to fix the issue soon.

wbr, Valentin V. Bartenev

--
http://nginx.com/support.html
http://nginx.org/en/donation.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

1.3.11 Issues?

digitalpoint January 14, 2013 05:50PM

Re: 1.3.11 Issues?

Valentin V. Bartenev January 14, 2013 06:02PM

Re: 1.3.11 Issues?

digitalpoint January 14, 2013 06:05PM

Re: 1.3.11 Issues?

Valentin V. Bartenev January 14, 2013 06:18PM

Re: 1.3.11 Issues?

digitalpoint January 14, 2013 06:46PM

Re: 1.3.11 Issues?

Valentin V. Bartenev January 14, 2013 07:08PM

Re: 1.3.11 Issues?

digitalpoint January 14, 2013 07:21PM

Re: 1.3.11 Issues?

Valentin V. Bartenev January 14, 2013 08:24PM

Re: 1.3.11 Issues?

digitalpoint January 14, 2013 08:55PM

Re: 1.3.11 Issues?

Valentin V. Bartenev January 14, 2013 10:18PM

Re: 1.3.11 Issues?

digitalpoint January 14, 2013 10:50PM

Re: 1.3.11 Issues?

Valentin V. Bartenev January 27, 2013 10:24AM

Re: 1.3.11 Issues?

digitalpoint January 28, 2013 02:20PM

Re: 1.3.11 Issues?

Valentin V. Bartenev January 28, 2013 02:36PM

Re: 1.3.11 Issues?

digitalpoint January 28, 2013 03:32PM

Re: 1.3.11 Issues?

digitalpoint January 27, 2013 05:01PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 53
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready