Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use http2.originSet for socket/session re-use #16

Open
grantila opened this issue Apr 9, 2018 · 3 comments
Open

Use http2.originSet for socket/session re-use #16

grantila opened this issue Apr 9, 2018 · 3 comments

Comments

@grantila
Copy link
Owner

grantila commented Apr 9, 2018

As described here: https://nodejs.org/dist/latest-v9.x/docs/api/http2.html#http2_http2session_originset

@grantila
Copy link
Owner Author

Help on this is welcome, if it's of somewhat importance to anyone.

  • Can the originSet be trusted to use as-is?
  • Does Node.js filter invalid results?
  • Does Node.js check that origins match the TLS origins to not have bad servers pretending to authorize 3rd party origins?

@colinbendell
Copy link
Contributor

it appears that originSet always reports the current origin (servername from the TLS socket). I suspect that it was originally planned to reflect the Origin frame if the spec were to ever land. So currently originSet is not much use in practical use cases.

However, the session.socket.getPeerCertificate().subjectaltname does provide the available SANs on the connected certificate. I would propose that a new ContextOption that allows trusting TLS certificate without DNS lookup (or allow for DNS lookup as an elevated situation)

@szmarczak
Copy link

You can use http2wrapper.Agent. We already use http2-wrapper in Got.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants