> > As you may see, RFC clearly states that valid certificate is an ADDITIONAL
> > condition. In other words, if existing connection CAN be reused for HTTP,
> > only then you should check for additional requirement - certificate should
> > be valid.
>
> So you're now arguing that if a browser would speak HTTP/2 over plain TCP you
> think it should reuse connections for this setup even when there's no certs
> involved?
>
No, I'm 100% sure the browser MUST NOT reuse connection to IP_ADDR_2 while speaking to
host_2.domain.com, if
host_2.domain.com doesn't have A or AAAA record matching IP_ADDR_2. Regardless of HTTP or HTTPS being used.
> I think we're mostly moving in circles.
Yep, looks like we are.
> I've not seen you explain how this causes actual real-life problems (in a
> scenario where you don't install a malicious party's CA cert yourself). Can you
> help me understand?
Real life example.
Corporate intranet. Intranet sites are accessible via TLS encrypted connections, all of them are sharing wildcard certificate, something like *.
intranet.company.com
The certificate is not malicious, this is legitimate certificate.
Host_1.intranet.domain.com have 2 mirrors - one on the server with IP_1 _v4 and IP_2_v6
2nd mirror is on another server, which has only v4 address : IP_3_v4
Host_2.intranet.domain.com is a smaller web site, which is hosted only on one single IP_3_v4.
What happens is that users are unable to access
host_2.intranet.domain.com using FireFox because FF always trying to re-use connection to IP_2_v6.
We are arguing about RFC interpretation. I can see several places in the RFC proving your implementation is wrong :
Section 9.1
Clients SHOULD NOT open more than one HTTP/2 connection to a given
host and port pair, where the host is derived from a URI, a selected
alternative service [ALT-SVC], or a configured proxy.
Let's look at the URI
https://host_2.intranet.company.com/ . The only possible host and port pair that can derive from that URI is IP_3_v4:443 . Therefore the browser must open a new connection and not try to reuse old one to IP_2_v6.
Section 9.1.1
As I said before, valid certificate is an ADDITIONAL condition (which is clearly stated in RFC) for HTTPS connections. I.e. certificate should be considered only if all the rest of conditions are met and authority of the server is established.
I.e. presence of wildcard certificate can't be a REASON why connection is reused. It's just an additional condition to determine if connection can be reused or not.