x/net/http2: expose which TLS cipher suites are HTTP/2 safe #41068
Description
Launching a web server with the SSL ciphers list taken from the TLS package does not work. I get the following error, that I can't get around programatically:
http2: TLSConfig.CipherSuites index 5 contains an HTTP/2-approved cipher suite (0x1301), but it comes after unapproved cipher suites. With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection.
What version of Go are you using (go version)?
1.14
Does this issue reproduce with the latest release?
yes (1.15)
What operating system and processor architecture are you using (go env)?
go env Output
set GOHOSTARCH=amd64 set GOHOSTOS=windows
What did you do?
I tried to launch a web server with a custom TLS config, with ciphers taken from tls.CipherSuites(). I do have one of these 2 dead ends:
- Ciphers returned by tls.CipherSuites() are not in a suitable order with HTTP/2-approved ciphers first (I guess, they are not intended to be).
- http2isBadCipher() in /net/http/h2_bundle.go is not exposed, so I can't sort ciphers accordingly on my own (I don't want to copy that function, because it seems it could get updated over time).
Here is a sample snippet:
// Prepare list of accepted cipher suites
var ciphers []uint16
for _, cipher := range tls.CipherSuites() {
if cipher.Insecure == false {
ciphers = append(ciphers, cipher.ID)
}
}
// Create TLS config
tlsConf := &tls.Config{
MinVersion: tls.VersionTLS13,
MaxVersion: tls.VersionTLS13,
CipherSuites: ciphers,
}
// Create TLS web server
server := &http.Server{Addr: listen, Handler: mux, TLSConfig: tlsConf}
// Start TLS web server
_ = server.ListenAndServeTLS("cert.crt", "cert.key")
What did you expect to see?
I just couldn't find a way to programatically order the ciphers as required, with the means available.
What did you see instead?
A critical error and program termination.