-
Notifications
You must be signed in to change notification settings - Fork 17.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto/tls: cannot enforce "h2" with ALPN #59734
Comments
cc @golang/security |
You should be able to enforce the selection of h2 with a Config.GetConfigForClient or Config.VerifyConnection callback, either by requiring the presence of h2 in the ClientHelloInfo.SupportedProtos or requiring ConnecitonState.NegotiatedProtocol is h2 respectively. |
thx this helped a lot. I've tested both:
What is missing is a callback |
May be related to #16588 where I identified some issues with NextProtos handling and h2, namely that it's impossible to force h2 when using custom ALPN. There is a workaround documented there; the Go team did not want to change the code in the stdlib even though IMO it wouldn't be a backwards compat issue because it literally doesn't work (unless they have since fixed it). Basically: manually configure the transport with the |
What version of Go are you using (
go version
)?Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (
go env
)?go env
What did you do?
go run main.go cert.crt cert.key
then from another terminal:echo HELLO | openssl s_client -connect localhost:8765 echo HELLO | openssl s_client -connect localhost:8765 -alpn http/1.1 echo HELLO | openssl s_client -connect localhost:8765 -alpn foo echo HELLO | openssl s_client -connect localhost:8765 -alpn h2
What did you expect to see?
main.go:50: tls: client requested unsupported application protocols ([]) ... main.go:50: tls: client requested unsupported application protocols ([http/1.1]) ... main.go:50: tls: client requested unsupported application protocols ([foo]) ... main.go:54: negociated protocol = h2
What did you see instead?
main.go:54: negociated protocol = ... main.go:54: negociated protocol = ... main.go:50: tls: client requested unsupported application protocols ([foo]) ... main.go:54: negociated protocol = h2
With current
cpypto/tls
and since https://go-review.googlesource.com/c/go/+/325432 ( see #46310 ) we cannot enforce h2 and drop clients asking for http/1.1.cpypto/tls
has been specialized/harcoded fornet/http
instead of been agnostic.Also there should be an option to accept or not client with no alpn when the server has alpn.
In current state, we have to either clone
crypto/tls
and modify it or drop the connection at a higher level (which leads to different behaviors/tests, log messages, impact on client & server codes, etc)The text was updated successfully, but these errors were encountered: