On Mon, May 8, 2017 at 8:55 AM, Anne van Kesteren wrote:
> Okay, so instead of failing the connection you fail just the request.
> Are you also saying that only HTTP/1 can have authenticated
> connections at this point?
I am saying fail the request. The disposition of the connection is a
protocol detail depending on the auth details.. It seems for
TLS-client-auth you would need to fail the connection because the http bits
are stalled mid flight, but for something like NTLM you have a clean
resolution to the auth trigger (it came back with a 401 that we're not
going to act on) and the connection could still be used for other requests.
wrt h1 - yes, I believe right now the only client-authenticated connections
are in h1.