jan-ivar
commented
5 months ago I don't think Firefox supports pooling yet, but I could be behind. @jesup ?
Closed martenrichter closed 5 months ago
jan-ivar
commented
5 months ago I don't think Firefox supports pooling yet, but I could be behind. @jesup ?
valenting
commented
5 months ago That is correct, Firefox doesn't currently support pooling Bug 1815735 - Implement pooling for webtransport
martenrichter
commented
5 months ago I am not 100% sure, but I will investigate it further (I need to look deeper into the code while fixing serverCertificatehashes). I think Firefox may only support pooling... as the connection hashes do not distinguish different sessions. (https://bugzilla.mozilla.org/show_bug.cgi?id=1873263)
vasilvv
commented
5 months ago So, at least in my interpretation (not sure whether this follows from the spec text currently), "allowPooling" does not just allow pooling two different WebTransport sessions, it specifically instructs the browser to use the default HTTP session pool (which would mean a pre-existing HTTP/3 connection that is also used for regular HTTP requests), and those have to follow regular certificate validation rules.
jan-ivar
commented
5 months ago @vasilvv is correct. allowPooling: true translates to newConnection = "no" in
Parsing that, it first calls:
...which may then bail early and return any existing connections that happen to match (i.e. pooling). Are certificates relevant here?
But then we still append that whole "if serverCertificateHashes is specified" section, and I don't see any specific language around when that does or doesn't apply. On first brush I see no reason why allowPooling: true changes anything in the case where this algorithm doesn't bail early.
jan-ivar
commented
5 months ago I guess it comes down to whether these certificate-hash-based connections end up in the "connection pool"?
martenrichter
commented
5 months ago it specifically instructs the browser to use the default HTTP session pool (which would mean a pre-existing HTTP/3 connection that is also used for regular HTTP requests),
Ok, that is also what I thought, and the regular certificate chain requirement can only be lifted if the network partition key (I assume that it is a hash uniquely identifying the connection) also contains something to mark the current collection of server CertificateHashes.
I guess it comes down to whether these certificate-hash-based connections end up in the "connection pool"?
Precisely, that is the question. My question was motivated by my desire to fix a web transport issue in the stream handling in Firefox (together with my lib), but for an easy test setup, I needed the serverCertificateHashes stuff. So I am fixing the implementation there, and at the moment, I think Firefox always used the connection pool, but I have to sort this out so that no connection with serverCertificateHashes compromises the standard pool.
jan-ivar
commented
5 months ago Meeting:
martenrichter
commented
5 months ago @jan-ivar Could you also please comment on the following (as you are from Mozilla): https://phabricator.services.mozilla.com/D197857 That is the work-in-progress patch for Firefox, which can also offer pooling with serverCertificatehashes, so that it steers in a useful direction.
jan-ivar
commented
5 months ago Meeting:
I am wondering why serverCertificateHashes does not allow pooling. If the connection hashes in the implementation include a sorted list of the supplied serverCertificateHashes, the implementation may pool if the hashes match. (Also, I think that Firefox currently always pools, but I am not sure if I understand the source correctly; it just looked like it in the debugger?)