Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: HTTP/2 cipher suites validation #14622

Closed
trajber opened this issue Mar 3, 2016 · 3 comments

Comments

Projects
None yet
5 participants
@trajber
Copy link

commented Mar 3, 2016

If tls.Config.CipherSuites is set with an invalid sequence and the http.Server.TLSConfig is set with it, the http.Server.Serve method returns an error.

Since http.Server.Start will update the http.Server.TLSConfig if it can, why http.Server.Serve method doesn't returns an error when an invalid cipher sequence is used like on the following example?

http://play.golang.org/p/KGe4oi_6Eh

@rakyll rakyll changed the title HTTP/2 cipher suites validation net/http: HTTP/2 cipher suites validation Mar 3, 2016

@rakyll

This comment has been minimized.

Copy link
Member

commented Mar 3, 2016

/cc @bradfitz

@bradfitz bradfitz self-assigned this Apr 10, 2016

@bradfitz bradfitz added this to the Go1.7 milestone Apr 10, 2016

@bradfitz

This comment has been minimized.

Copy link
Member

commented May 18, 2016

why http.Server.Serve method doesn't returns an error when an invalid cipher sequence is used like on the following example?

Because you used different *tls.Config values for the http.Server and the TLS listener you manually created and passed to http.Server.Serve(net.Listener). Note that crypto/tls.NewListener doesn't return an inspectable type. The http package can't tell that what its TLS config is.

There's not much we can do here. At least we'll catch it later at connection accept time. Good enough.

What you can do though is not pass different TLS configs. Or just use ListenAndServeTLS and don't worry about creating your own listener.

@bradfitz bradfitz closed this May 18, 2016

@odeke-em

This comment has been minimized.

Copy link
Member

commented May 18, 2016

Yap, thanks @bradfitz for confirming this. I tried solving this last weekend but in vain with the same conclusion that we can inspect the listener from crypto/tls.NewListener.

@golang golang locked and limited conversation to collaborators May 18, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.