|
|
|
|
|
|
by brians
2786 days ago
|
|
|
That’s a great write up. Another important change is that renegotiation to add client cents is no longer supported. Old HTTPS could work like this: C->S: handshake, no client cert
C->S: GET /
C<-S: here you go
C->S: POST /launch?target=Moscow
C<-S: server-initiated-renegotiation
C->S: everything from *this* byte on is covered by
C->s: client cert
C<-S: okay, launched
That is, the entangling of HTTP & TLS made some assumptions about the authentication parts being there for controlling read access, not about authenticating writes. Whoops. Nearly nobody using client cents wanted that behavior. Now there are much simpler mechanisms with many fewer bizarre side effects proposed at https://tools.ietf.org/id/draft-ietf-httpbis-http2-secondary... |
|
|