From: Stefan Eissing Date: Thu, 7 Mar 2019 10:18:14 +0000 (+0000) Subject: Adding new H2Padding directive. X-Git-Tag: 2.5.0-alpha2-ci-test-only~2123 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b59426e054e658921094b4391898455d5408f43;p=thirdparty%2Fapache%2Fhttpd.git Adding new H2Padding directive. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1854964 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_http2.xml b/docs/manual/mod/mod_http2.xml index 53332be9dd2..988a7e91104 100644 --- a/docs/manual/mod/mod_http2.xml +++ b/docs/manual/mod/mod_http2.xml @@ -946,4 +946,41 @@ H2TLSCoolDownSecs 0 + + H2Padding + Determine the range of padding bytes added to payload frames + H2Padding numbits + H2Padding 0 + + server config + virtual host + + Available in version 2.4.39 and later. + + +

+ With the default 0, no padding bytes are added to any payload + frames, e.g. HEADERS, DATA and PUSH_PROMISE. This is the behaviour + of previous versions. It means that under certain conditions, an + observer of network traffic can see the length of those frames + in the TLS stream. +

+

+ When configuring numbits of 1-8, a random number in range + [0, 2^numbits[ are added to each frame. The random value is chosen + independantly for each frame that the module sends back to the client. +

+

+ While more padding bytes give better message length obfuscation, they + are also additional traffic. The optimal number therefore depends on + the kind of web traffic the server carries. +

+

+ The default of 0, e.g. no padding, was chosen for maximum backward + compatibility. There might be deployments where padding bytes are + unwanted or do harm. The most likely cause would be a client that + has a faults implementation. +

+ +