Skip to content

/ go

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: HTTP/2 cipher suites validation #14622

Closed
trajber opened this issue Mar 3, 2016 · 3 comments
Closed

net/http: HTTP/2 cipher suites validation #14622

trajber opened this issue Mar 3, 2016 · 3 comments
Assignees
@bradfitz
Labels
FrozenDueToAge
Milestone
Go1.7

Comments

@trajber
Copy link

@trajber trajber commented Mar 3, 2016

If tls.Config.CipherSuites is set with an invalid sequence and the http.Server.TLSConfig is set with it, the http.Server.Serve method returns an error.

Since http.Server.Start will update the http.Server.TLSConfig if it can, why http.Server.Serve method doesn't returns an error when an invalid cipher sequence is used like on the following example?

http://play.golang.org/p/KGe4oi_6Eh
@rakyll rakyll changed the title HTTP/2 cipher suites validation net/http: HTTP/2 cipher suites validation Mar 3, 2016
@rakyll

This comment has been minimized.

Sign in to view
Copy link
Member

@rakyll rakyll commented Mar 3, 2016

/cc @bradfitz
@bradfitz bradfitz self-assigned this Apr 10, 2016
@bradfitz bradfitz added this to the Go1.7 milestone Apr 10, 2016
@bradfitz

This comment has been minimized.

Sign in to view
Copy link
Contributor

@bradfitz bradfitz commented May 18, 2016

why http.Server.Serve method doesn't returns an error when an invalid cipher sequence is used like on the following example?

Because you used different *tls.Config values for the http.Server and the TLS listener you manually created and passed to http.Server.Serve(net.Listener). Note that crypto/tls.NewListener doesn't return an inspectable type. The http package can't tell that what its TLS config is.

There's not much we can do here. At least we'll catch it later at connection accept time. Good enough.

What you can do though is not pass different TLS configs. Or just use ListenAndServeTLS and don't worry about creating your own listener.
@bradfitz bradfitz closed this May 18, 2016
@odeke-em

This comment has been minimized.

Sign in to view
Copy link
Member

@odeke-em odeke-em commented May 18, 2016

Yap, thanks @bradfitz for confirming this. I tried solving this last weekend but in vain with the same conclusion that we can inspect the listener from crypto/tls.NewListener.
@golang golang locked and limited conversation to collaborators May 18, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@bradfitz bradfitz

Labels
FrozenDueToAge
Projects
None yet
Milestone
  Go1.7
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
5 participants
@trajber @rakyll @bradfitz @odeke-em @gopherbot
You can’t perform that action at this time.