Categories
Technisches

Firefox HTTP/2 & IPv6: Webserver Subdomain Configuration Pitfall

Conditions

  • two (or more) subdomains (same domain)
  • …share a common wildcard ssl certificate
  • on the same host (same IPv4-address)
  • but with different IPv6-addresses
  • client: Firefox (only Firefox has this behavior)
  • use HTTP/2
  • use IPv6

Expected behavior:

  • foo.example.com in location bar shows foo.example.com
  • bar.example.com in location bar shows bar.example.com

Seen behavior

Requests for the second host (bar) go to the first host (foo).

Explanation

With HTTP/2 Firefox shares connections to webservers („pooling“) to speed up page loading by omitting handshake and tcp slow start. Firefox determines which connections can be pooled together not by looking at the hostname, but by looking at the IPv4-address and the certificate. If the IPv4 address of the second host (bar) matches the IPv4-address of the first host (foo) AND the certificate used for foo also matches bar then the connection to foo is reused for bar.

Problem

The webserver may not be configured to show the contents of bar when someone connects to the IPv6-Adress of foo. Webserver administrators who were happy about the fact that with IPv6 there’s no need for SNI and name based virtual hosting anymore (like me) may have configured their webservers in the false assumption that if an IPv6 address is published for hostname foo incoming connections to that host will go to that IP address.

The behavior of Firefox is highly unexpected – or simply wrong.

Workaround

There are many obvious workarounds, but all of them have disadvantages.

  1. use different certificates (cheap nowadays) or
  2. use the same IPv6 address (use name based virtual hosting and SNI even when using IPv6) or
  3. use http status code 421 to answer „misguided“ requests

Links

Bugzilla: Firefox should decide whether reuse connection separately for IPv4 and IPv6

Daniel Steinberg: HTTP/2 connection coalescing

RFC 7540 Hypertext Transfer Protocol Version 2 (HTTP/2): 9.1.1. Connection Reuse