Valentin V. Bartenev
vbart at nginx.com
Tue Jan 15 03:17:49 UTC 2013
On Tuesday 15 January 2013 05:55:43 digitalpoint wrote:
> Well... the underlying errors went away, but it seems the new SPDY patch
> broke being able to handle multiple hosts on the same SPDY connection now
> (it worked under 1.3.10 just fine).
> For example, we have a SSL cert for both digitalpoint.com and dpstatic.com
> (dpstatic.com is a cookieless domain for serving static content), so SPDY
> attempts to use the same connection for multiple hosts. See SPDY session
> list here:
> With the SPDY patch for 1.3.11, now requests to *.dpstatic.com are
> *actually* being sent to digitalpoint.com (and getting a file not found).
> So somehow during a SPDY connection, the host for an individual request is
> being ignored somewhere along the way.
> Top browser is Chrome (SPDY connection), bottom browser is Safari (no SPDY
> support)... the end result is a SPDY connection will yield different
> results vs the "traditional" SSL connection:
> Again, this worked as expected (ability for SPDY to properly share a
> connection across multiple hosts) with 1.3.10.
There is no difference between 1.3.10 and 1.3.11 in terms of SPDY.
In fact, 1.3.10 has serious bugs (see: http://nginx.org/en/CHANGES),
and you should use 1.3.11 instead.
The big difference is between spdy54 and spdy55+ patches. A large part of
SPDY implementation was rewritten in spdy55, and also some relevant parts
of nginx got new code.
One of those changes makes nginx more RFC 6066 compliant. Here is some quotes:
3. Server Name Indication
If an application negotiates a server name using an application
protocol and then upgrades to TLS, and if a server_name extension is
sent, then the extension SHOULD contain the same name that was
negotiated in the application protocol. If the server_name is
established in the TLS session handshake, the client SHOULD NOT
attempt to request a different server name at the application layer.
11.1. Security Considerations for server_name
Since it is possible for a client to present a different server_name
in the application protocol, application server implementations that
rely upon these names being the same MUST check to make sure the
client did not present a different name in the application protocol.
And you will not find in SPDY draft.2 specification any information about
the "ability for SPDY to properly share a connection across multiple hosts":
Apparently by making TLS SNI in nginx more RFC-compliant I unintentionally
Well, it's safe to use spdy54 with 1.3.11:
and I recommend you to use it while I will think about a solution.
Thanks again for testing. I hope to fix the issue soon.
wbr, Valentin V. Bartenev
More information about the nginx