Add SPDY support

[andersk]

In our infinite free time, we should play with ​mod_spdy which Google just released.

(davidben isn’t sure if it will work with client certificates, though.)

[davidben]

Client auth: The nuisance is that SPDY may multiplex multiple streams from even different origins over the same connection, so you don't always get a handshake per host. And, of course, the awful renegotiate hack breaks when you don't know what stream your CertificateRequest? associated with. So SPDY has a CREDENTIALS₁ control frame for adding new certificates to a slot (with a slot specified in SYN_STREAM). Given mod_spdy has issues with even SSLRequireSSL₂ right now, I suspect they don't have whatever glue is necessary to make this seamlessly. It's also possible this spec is newer than the current implementation in Firefox and Chrome and they'll just disable pooling for connections with client certs for now or something

Insert usual rant about how TLS client auth is broken and at completely the wrong layer.

₁ ​http://willchan.github.com/SPDY-Specification/draft-mbelshe-spdy-00.html#CREDENTIAL

₂ ​https://code.google.com/p/mod-spdy/issues/detail?id=31

[davidben]

One possible deployment option is to eventually drop support for client auth on port 443 (assuming you guys are fine with that), leaving port 444 as vanilla HTTPS with client auth. I've verified from source-diving that Chrome doesn't do anything stupid like coalesce connections to the same IP but different ports. Even with this CREDENTIALS frame, I suspect the only SPDY+client-auth configuration that'll ever be tested much is TLS-OBC. (In fact, if they weren't working on TLS-OBC, I doubt Google would have bothered adding that frame. Looks like it was only added a few months ago anyway.) This also gives you a way to deploy TLS-OBC if that ever takes off, since it and client auth are mutually exclusive.

TLS-OBC: ​http://www.browserauth.net/

Mozilla's bug for client auth + SPDY: ​https://bugzilla.mozilla.org/show_bug.cgi?id=698230

When they added the frame: ​https://groups.google.com/forum/#!topic/spdy-dev/mF12FOiudVs/discussion

[davidben]

It's also possible this spec is newer than the current implementation in Firefox and Chrome and they'll just disable pooling for connections with client certs for now or something.

In fact, the CREDENTIALS from was added in spdy/3 and currently implementations are still spdy/2. Although Chrome is starting to put X% of users on some release channel on spdy/3, so I imagine server support on Google's end exists now and client support in Chrome is coming. I only see evidence of spdy/2 in Firefox for now. mod_spdy is also only spdy/2.