Fixing the “Misdirected Request” Issue in Safari with HTTP/2 and TLS Negotiation

When using HTTP/2 with TLS negotiation for multiple domains, you may encounter the ‘Misdirected Request’ error (HTTP 421) in Safari. This issue arises due to the server’s handling of cross-domain connection reuse and can be traced back to the following sequence of events:

Sequence of Events Leading to the Error:

1. HTTP/2 Support: Both the server and client support and utilize HTTP/2.
2. Initial Request: The client requests a page from foo.example.com.
3. TLS Negotiation: During TLS negotiation, the server presents a certificate valid for both foo.example.com and bar.example.com. This is often done using a wildcard or SAN (Subject Alternative Name) certificate, and the client accepts it.
4. Connection Reuse: The client attempts to reuse the connection to make a request to bar.example.com.
5. Server’s Response: The server is either unable or unwilling to support cross-domain connection reuse and responds with an HTTP 421 status code. This may occur due to specific server configurations, such as Apache’s desire to force a TLS renegotiation.
6. Client Behavior: The client (Safari, in this case) does not automatically retry with a new connection. While the relevant RFC states that the client MAY retry, it does not mandate that the client SHOULD or MUST do so.

Addressing the Issue:

While you cannot control the client’s behavior (step 6), you can mitigate the issue by addressing step 5. Here are a few potential solutions:

1. Consult Server Documentation:
   • Review your server’s HTTP/2 documentation to understand how and when it sends the HTTP 421 status code.
   • Adjust your server configuration to better handle cross-domain connection reuse.
2. Separate Certificates:
   • Consider issuing separate certificates for each domain (foo.example.com and bar.example.com). While this approach increases administrative overhead, it can help avoid the issue altogether.
3. Disable HTTP/2:
   • As a last resort, you could disable HTTP/2 entirely. This solution is likely overkill and not recommended for most cases, as it sacrifices the performance benefits of HTTP/2.

Practical Steps for Apache Servers:

If you’re using Apache, the issue may stem from its handling of TLS renegotiation. Here are specific steps you can take:

1. Check Apache Configuration:
   • Ensure that your Apache configuration supports cross-domain connection reuse. This might involve adjusting settings related to SSL/TLS and HTTP/2.
2. Adjust SSL Configuration:
   • Modify your SSL configuration to avoid triggering TLS renegotiation. This might include ensuring that all relevant domains are included in the same certificate and configuring Apache to handle these connections more gracefully.
3. Update Apache:
   • Ensure that you’re using the latest version of Apache, as updates may include fixes or improvements related to this issue.

Conclusion:

The ‘Misdirected Request’ issue in Safari can be frustrating, but understanding the sequence of events and potential fixes can help you mitigate the problem. By consulting your server’s documentation, considering separate certificates, or making specific configuration adjustments, you can ensure a smoother experience for users accessing your sites via HTTP/2.

Tags: HTTP/2, TLS Negotiation, Misdirected Request, Safari, SSL Certificate, Apache Configuration, Web Development, Cross-Domain Connection Reuse

---

Feel free to modify the tags or content to better fit your specific audience and use case.