-
Notifications
You must be signed in to change notification settings - Fork 0
Capability Matrix
本文说明 wknet 当前支持什么、默认开启什么、以及哪些行为会被拒绝。章节按状态分组,便于对照集成需求。
- 已实现 — 当前可用;除非另有说明,按默认配置即可使用
- 默认关闭 — 已实现,但需显式开启
- 策略拒绝 — 出于协议或安全策略会拒绝的请求/响应
- 当前不支持 — 现阶段未提供
定位:HTTP/HTTPS/WebSocket/SSE 客户端。传输主路径为 WSK,密码学主路径为 CNG/BCrypt;不使用 WinHTTP、WinINet 或 SChannel。信任锚、CA 包、pin 与撤销证据由调用方提供。同步路径要求 PASSIVE_LEVEL。
- 请求体:
Content-Length、库生成 chunked、流式BodyCreateStream/RequestSetBodySource;用户手设Transfer-Encoding/TE会被拒绝。 - 请求 trailer:仅 chunked 路径;禁止字段与 CRLF 注入拒绝。
- 响应:状态行仅 HTTP/1.0/1.1;头行/头段/头数有界;拒绝 obs-fold;多
Content-Length或TE+CL冲突 →STATUS_INVALID_NETWORK_RESPONSE。 - Body 框定:CL / chunked / close-delimited;无 body:1xx、204、205、304、HEAD。
-
206/Content-Range只读解析;Range 与条件请求 helper;可选 RFC 9111 内存 cache 参与验证与 partial 合并。 -
Content-Encoding:gzip/deflate/br/compress/zstd/dcz/aes128gcm/exi/pack200-gzip/identity(最多 2 级,反序解码;膨胀比有界)。 - 中间 1xx(除 101)吞掉重解析;自动 redirect;keep-alive 池复用。
- 代理:HTTPS CONNECT;明文 HTTP absolute-form;
Proxy-Authorization仅来自显式配置。
- 前导 + SETTINGS;客户端
ENABLE_PUSH=0;CONTINUATION 洪泛防护;流控与伪头校验。 - 连接池 stream 租约:同源 H2 多请求;DATA 按流控与
MAX_FRAME_SIZE切分;请求 trailer 以 final HEADERS 发送。 - 模式:TLS ALPN
h2;h2c prior knowledge / Upgrade 为 opt-in(见下节)。 - RFC 8441 extended CONNECT:对端
SETTINGS_ENABLE_CONNECT_PROTOCOL=1时可供 WebSocket。 - GOAWAY/
REFUSED_STREAM→ 可STATUS_RETRY;高层仅安全方法重试一次。
- WSK Datagram + 内核 CNG 主路径;QUIC v1 包/帧、TLS 1.3 over QUIC、ACK/loss/PTO、流控、CID、关闭状态机。
- HTTP/3:控制/QPACK 关键单向流、SETTINGS、HEADERS/DATA、1xx、trailer、GOAWAY/取消;server push 会被拒绝。
- 默认
Http3ConnectMode::Auto:首次 HTTPS 使用 TCP;只有通过证书与 TLS 策略校验的响应中的精确h3Alt-Svc 会被缓存。DNS/UDP 可指向 alternative,SNI、证书校验与:authority仍绑定原 origin。 - 以下情况不使用 HTTP/3:
CertPolicy::NoVerify、HTTP 代理、明文 HTTP、h2c、WebSocket、非 HTTP ALPN、带Http2Priority的请求。 - 回落 TCP 仅在请求尚未发送,或满足一次安全重放规则时允许。
- ws/wss;Accept 常量时间比对;子协议;调用方 opening headers(拒绝库受控头)。
-
wss默认可 offerh2,http/1.1→ RFC 8441 或回落 HTTP/1.1 Upgrade;ws://不隐式 h2c。 - 分片发送/可选分片接收;自动 Pong;UTF-8/长度/控制帧上限;主动/被动 close。
- 握手 3xx/401/407 不自动跟随 →
STATUS_NOT_SUPPORTED。
-
wknet::sse::SseClient:Connect/Receive/Close;仅 GET;默认要求Content-Type: text/event-stream。 - 解析:半包、comment、
id/event/data/retry、多行 data;Last-Event-ID跟踪与重连注入。 - 自动重连默认开;指数退避 + 尊重
retry:;HTTP 4xx open 失败不重连;Close中止 delay。 - 超时:
ConnectTimeoutMs/Body空闲IdleTimeoutMs/ 单次ReceiveTimeoutMs分字段(不再把整条长流绑在 30s 总 deadline)。 - 底层响应体为真增量:
SendOptions.OnBody在启用时按到达顺序多次回调,finalChunk仅在结束时为 true。 - 首版:identity Content-Encoding;无 SSE 服务端;无 POST body 型 SSE。
- TLS 1.2/1.3 单版本路径;无握手内自动降级;EMS + 安全重协商指示;CBC 须 EtM。
- 证书:有界链、主机名(IP→iPAddress SAN only;域名不回退 CN)、离线撤销证据、SPKI pin、mTLS 回调签名(私钥不入库)。
- 密码学:CNG 优先;ChaCha20-Poly1305、X25519 等内核软件补齐;最小 RSA 2048。
| 行为 | 默认 |
|---|---|
MaxRedirects |
10;用尽返回当前 3xx,不报错 |
| HTTPS→HTTP redirect | 拒绝 |
| Stale retry | 仅 GET/HEAD/OPTIONS,恰好一次 |
| close-delimited / 101 | 不回池 |
| TRACE |
关(SendFlagAllowTrace) |
| 同步 IRQL | PASSIVE_LEVEL |
默认关闭的能力,以及对应配置字段。头文件:Types.h、Cache.h、websocket/WebSocket.h。
| 能力 | 配置对象 | 字段 / 用法 |
|---|---|---|
Expect: 100-continue |
SendOptions |
Flags |= SendFlagExpectContinue;可选 ExpectContinueTimeoutMs(默认 1000) |
| TRACE | SendOptions |
Flags |= SendFlagAllowTrace(仍拒绝 body / trailer / 敏感头) |
| HTTP/1.1 pipeline | SessionConfig |
EnableHttp11Pipeline = true;Http11PipelineMaxDepth(默认 4,上限 64);Http11PipelineMethodMask(默认 GET|HEAD|OPTIONS) |
| h2c | SendOptions |
Http2CleartextMode = PriorKnowledge 或 Upgrade
|
| HTTP/2 PING 保活 | SessionConfig |
Http2KeepAlive.Enabled = true;IdleMs / IntervalMs / AckTimeoutMs(默认各 30000 / 30000 / 5000) |
| HTTP/2 priority | SendOptions |
Http2Priority 指向 Http2Priority{ StreamDependency, Weight(1..256), Exclusive }
|
| permessage-deflate | ConnectConfig |
PerMessageDeflate.Enable = true;可选 Client/ServerNoContextTakeover、Client/ServerMaxWindowBits(8..15) |
| TLS 1.2 兼容套件 / 重协商 | TlsConfig.Policy |
Profile = CompatibilityExplicit,再开 EnableTls12RsaKeyExchange / EnableTls12Cbc / EnableTls12Sha1Signatures / EnableTls12Renegotiation;TlsConfig.MaxTls12Renegotiations(默认 1,上限 4) |
| post-handshake client auth | TlsConfig.Policy |
EnablePostHandshakeClientAuth = true,并设置 TlsConfig.ClientCredential
|
| 强撤销 | TlsConfig.Policy |
RequireRevocationCheck = true;调用方提供可验证 OCSP/CRL 证据 |
| 内存 cache |
SessionConfig / SendOptions
|
CacheCreate 后赋给 SessionConfig.Cache;单次可用 SendFlagBypassCache / NoCacheStore / OnlyIfCached 或 SendOptions.Cache
|
示例:
// 单次发送
wknet::http::SendOptions* options = nullptr;
wknet::http::SendOptionsCreate(&options);
options->Flags |= wknet::http::SendFlagExpectContinue;
options->ExpectContinueTimeoutMs = 1000;
options->Flags |= wknet::http::SendFlagAllowTrace;
options->Http2CleartextMode = wknet::http::Http2CleartextMode::PriorKnowledge;
wknet::http::Http2Priority priority = {};
priority.Weight = 16;
options->Http2Priority = &priority;
wknet::http::SendEx(session, wknet::http::Method::Get,
url, urlLen, nullptr, nullptr, options, &response);
wknet::http::SendOptionsRelease(options);
// 会话
wknet::http::SessionConfig config = wknet::http::DefaultSessionConfig();
config.EnableHttp11Pipeline = true;
config.Http11PipelineMaxDepth = 4;
config.Http11PipelineMethodMask =
wknet::http::Http11PipelineMethodGet |
wknet::http::Http11PipelineMethodHead |
wknet::http::Http11PipelineMethodOptions;
config.Http2KeepAlive.Enabled = true;
config.Tls.Policy.Profile = wknet::http::TlsSecurityProfile::CompatibilityExplicit;
config.Tls.Policy.EnableTls12Cbc = true;
config.Tls.Policy.RequireRevocationCheck = true;
wknet::http::Cache* cache = nullptr;
wknet::http::CacheOptions cacheOptions = {};
cacheOptions.MaxBytes = 16 * 1024 * 1024;
cacheOptions.MaxEntries = 256;
cacheOptions.Mode = wknet::http::CacheMode::Private;
wknet::http::CacheCreate(&cacheOptions, &cache);
config.Cache = cache;
wknet::http::Session* session = nullptr;
wknet::http::SessionCreate(&config, &session);
// WebSocket
wknet::websocket::ConnectConfig cfg = wknet::websocket::DefaultConnectConfig();
cfg.Url = "wss://example.com/ws";
cfg.UrlLength = 18;
cfg.PerMessageDeflate.Enable = true;
wknet::websocket::WebSocket* ws = nullptr;
wknet::websocket::ConnectEx(session, &cfg, &ws);TLS 1.3 0-RTT(EnableEarlyData / EarlyDataReplaySafe)仅存在于内部 TLS 连接选项,未映射到 TlsConfig / SendOptions,产品 HTTP API 不能开启。HTTP/3 应用数据 0-RTT 见「当前不支持」。
下列行为会被拒绝;这是既定策略,不表示实现缺失。
| 行为 | 处理 |
|---|---|
用户手写请求 Transfer-Encoding / TE
|
拒绝;framing 由库生成 |
HTTP br 作 Transfer-Encoding |
拒绝;br 仅 Content-Encoding |
HTTP/2 PUSH_PROMISE
|
协议错误 |
| 未请求/非法 WebSocket 扩展 | 拒绝 |
| WS 握手 redirect / 401 / 407 自动跟随 | STATUS_NOT_SUPPORTED |
| TLS 握手内 1.3→1.2 自动降级 | 不做;仅可验证证据后上层显式重连 |
| 证书:IP 用 dNSName/CN;域名回退 CN | 不做 |
| HTTPS→HTTP 自动 redirect | 默认拒绝 |
| 在线 OCSP/CRL 抓取 | 库从不发起 |
| 能力 | 说明 |
|---|---|
| HTTP server / 入站 request parser | 客户端库,不提供服务端 |
| SSE 服务端 / POST body 型 SSE | 仅客户端 GET event-stream |
| 磁盘持久化 HTTP cache | 仅有内存 NonPaged cache 对象 |
| HTTP/2 本地 priority 树带宽调度 | 不实现 |
| 除 permessage-deflate 外的 WS 扩展 | 不协商其它扩展 |
| 在线撤销抓取 | 库不发起 OCSP/CRL 网络请求 |
| 流式 Content-Encoding(SSE/OnBody 路径 gzip/br 等) | 首版要求 identity;架构可扩展 |
| QUIC v2、H3 0-RTT 应用数据、主动迁移、多路径、ECN、DPLPMTUD、WebTransport、QUIC Datagram、WebSocket over H3 | 当前不支持 |
| WinHTTP / WinINet / SChannel 内核主路径 | 不使用 |
| 独立 client 层 / 第二套连接生命周期 | 不提供 |
- 传输:WSK。TLS/HTTP/证书:内核路径自实现。
- 密码学:CNG/BCrypt 优先,缺口由内核软件实现补齐。
- 信任:调用方显式提供锚、CA 包、撤销证据与 pin;库不硬编码系统 CA。
方向摘要见 路线图。能力现状以本页账本为准。
This page describes what wknet supports today, what is enabled by default, and which behaviors are rejected. Sections are grouped by status for integration review.
- Implemented — available now; usable under default configuration unless noted
- Default-off — implemented, but must be enabled explicitly
- Policy rejection — requests or responses rejected by protocol or security policy
- Not supported — not provided in the current release
Scope: HTTP/HTTPS/WebSocket/SSE client. Transport main path is WSK; cryptography main path is CNG/BCrypt. WinHTTP, WinINet, and SChannel are not used. Trust anchors, CA bundles, pins, and revocation evidence are caller-supplied. Synchronous paths require PASSIVE_LEVEL.
- Request bodies:
Content-Length, library-generated chunked, streamingBodyCreateStream/RequestSetBodySource; caller-suppliedTransfer-Encoding/TEis rejected. - Request trailers: chunked path only; forbidden fields and CRLF injection rejected.
- Responses: status line HTTP/1.0/1.1 only; bounded header line/block/count; obs-fold rejected; multiple
Content-LengthorTE+CLconflict →STATUS_INVALID_NETWORK_RESPONSE. - Body framing: CL / chunked / close-delimited; no body for 1xx, 204, 205, 304, HEAD.
- Read-only
206/Content-Range; Range and conditional helpers; optional RFC 9111 in-memory cache participates in validation and partial combining. -
Content-Encoding: gzip/deflate/br/compress/zstd/dcz/aes128gcm/exi/pack200-gzip/identity (max two layers, reverse decode; bounded expansion). - Interim 1xx (except 101) swallowed and reparsed; automatic redirects; keep-alive pool reuse.
- Proxy: HTTPS CONNECT; cleartext HTTP absolute-form;
Proxy-Authorizationonly from explicit config.
- Preface + SETTINGS; client
ENABLE_PUSH=0; CONTINUATION flood guards; flow control and pseudo-header checks. - Pooled stream leases: multiple same-origin H2 requests; DATA sliced by flow control and
MAX_FRAME_SIZE; request trailers as final HEADERS. - Modes: TLS ALPN
h2; h2c prior knowledge / Upgrade are opt-in (next section). - RFC 8441 extended CONNECT when peer advertises
SETTINGS_ENABLE_CONNECT_PROTOCOL=1(WebSocket). - GOAWAY/
REFUSED_STREAMmay yieldSTATUS_RETRY; high level fresh-retries safe methods once only.
- WSK Datagram + kernel CNG main path; QUIC v1 packets/frames, TLS 1.3 over QUIC, ACK/loss/PTO, flow control, CIDs, close state machine.
- HTTP/3: critical control/QPACK unidirectional streams, SETTINGS, HEADERS/DATA, 1xx, trailers, GOAWAY/cancel; server push is rejected.
- Default
Http3ConnectMode::Auto: first HTTPS uses TCP; only an exacth3Alt-Svc from a response that already passed certificate and TLS-policy checks is cached. DNS/UDP may target the alternative; SNI, certificate checks, and:authorityremain bound to the origin. - HTTP/3 is not used for
CertPolicy::NoVerify, HTTP proxies, cleartext HTTP, h2c, WebSocket, non-HTTP ALPN, or requests withHttp2Priority. - TCP fallback is allowed only while the request is still unsent, or when the one-replay safety rules apply.
- ws/wss; constant-time Accept compare; subprotocols; caller opening headers (library-controlled headers rejected).
-
wssmay offerh2,http/1.1→ RFC 8441 or fall back to HTTP/1.1 Upgrade;ws://never implicitly uses h2c. - Fragmented send / optional fragment receive; auto-Pong; UTF-8/length/control-frame limits; active/passive close.
- Handshake 3xx/401/407 are not auto-followed →
STATUS_NOT_SUPPORTED.
-
wknet::sse::SseClient:Connect/Receive/Close; GET only; default requiresContent-Type: text/event-stream. - Parser: partial chunks, comments,
id/event/data/retry, multi-line data;Last-Event-IDtracking and reconnect injection. - Auto-reconnect on by default; exponential backoff +
retry:; no reconnect on HTTP 4xx open;Closeaborts delay. - Timeouts: separate
ConnectTimeoutMs/ body idleIdleTimeoutMs/ per-ReceiveTimeoutMs(long streams are not bound to a single 30s whole-response deadline). - Response bodies are truly incremental: when set,
SendOptions.OnBodyis invoked multiple times in arrival order;finalChunkis true only at the real end. - First release: identity Content-Encoding; no SSE server; no POST-body SSE.
- TLS 1.2/1.3 single-version path; no in-handshake automatic downgrade; EMS + secure renegotiation indication; CBC requires EtM.
- Certificates: bounded chains, hostnames (IP → iPAddress SAN only; DNS names do not fall back to CN), offline revocation evidence, SPKI pins, mTLS callback signatures (private keys remain with the caller).
- Crypto: CNG first; ChaCha20-Poly1305, X25519, and similar filled by in-kernel software; minimum RSA 2048.
| Behavior | Default |
|---|---|
MaxRedirects |
10; exhausted hops return the current 3xx without error |
| HTTPS→HTTP redirect | Rejected |
| Stale retry | GET/HEAD/OPTIONS only, exactly once |
| close-delimited / 101 | Not returned to the pool |
| TRACE |
Off (SendFlagAllowTrace) |
| Sync IRQL | PASSIVE_LEVEL |
Features that are implemented but disabled by default, with the fields that enable them. Headers: Types.h, Cache.h, websocket/WebSocket.h.
| Capability | Object | Fields / usage |
|---|---|---|
Expect: 100-continue |
SendOptions |
Flags |= SendFlagExpectContinue; optional ExpectContinueTimeoutMs (default 1000) |
| TRACE | SendOptions |
Flags |= SendFlagAllowTrace (body / trailers / sensitive headers still rejected) |
| HTTP/1.1 pipeline | SessionConfig |
EnableHttp11Pipeline = true; Http11PipelineMaxDepth (default 4, cap 64); Http11PipelineMethodMask (default GET|HEAD|OPTIONS) |
| h2c | SendOptions |
Http2CleartextMode = PriorKnowledge or Upgrade
|
| HTTP/2 PING keepalive | SessionConfig |
Http2KeepAlive.Enabled = true; IdleMs / IntervalMs / AckTimeoutMs (defaults 30000 / 30000 / 5000) |
| HTTP/2 priority | SendOptions |
Http2Priority → Http2Priority{ StreamDependency, Weight(1..256), Exclusive }
|
| permessage-deflate | ConnectConfig |
PerMessageDeflate.Enable = true; optional Client/ServerNoContextTakeover, Client/ServerMaxWindowBits (8..15) |
| TLS 1.2 compatibility / renegotiation | TlsConfig.Policy |
Profile = CompatibilityExplicit, then EnableTls12RsaKeyExchange / EnableTls12Cbc / EnableTls12Sha1Signatures / EnableTls12Renegotiation; TlsConfig.MaxTls12Renegotiations (default 1, cap 4) |
| post-handshake client auth | TlsConfig.Policy |
EnablePostHandshakeClientAuth = true, plus TlsConfig.ClientCredential
|
| Hard revocation | TlsConfig.Policy |
RequireRevocationCheck = true; caller supplies verifiable OCSP/CRL evidence |
| In-memory cache |
SessionConfig / SendOptions
|
CacheCreate → SessionConfig.Cache; per-send SendFlagBypassCache / NoCacheStore / OnlyIfCached or SendOptions.Cache
|
Examples:
// Per send
wknet::http::SendOptions* options = nullptr;
wknet::http::SendOptionsCreate(&options);
options->Flags |= wknet::http::SendFlagExpectContinue;
options->ExpectContinueTimeoutMs = 1000;
options->Flags |= wknet::http::SendFlagAllowTrace;
options->Http2CleartextMode = wknet::http::Http2CleartextMode::PriorKnowledge;
wknet::http::Http2Priority priority = {};
priority.Weight = 16;
options->Http2Priority = &priority;
wknet::http::SendEx(session, wknet::http::Method::Get,
url, urlLen, nullptr, nullptr, options, &response);
wknet::http::SendOptionsRelease(options);
// Session
wknet::http::SessionConfig config = wknet::http::DefaultSessionConfig();
config.EnableHttp11Pipeline = true;
config.Http11PipelineMaxDepth = 4;
config.Http11PipelineMethodMask =
wknet::http::Http11PipelineMethodGet |
wknet::http::Http11PipelineMethodHead |
wknet::http::Http11PipelineMethodOptions;
config.Http2KeepAlive.Enabled = true;
config.Tls.Policy.Profile = wknet::http::TlsSecurityProfile::CompatibilityExplicit;
config.Tls.Policy.EnableTls12Cbc = true;
config.Tls.Policy.RequireRevocationCheck = true;
wknet::http::Cache* cache = nullptr;
wknet::http::CacheOptions cacheOptions = {};
cacheOptions.MaxBytes = 16 * 1024 * 1024;
cacheOptions.MaxEntries = 256;
cacheOptions.Mode = wknet::http::CacheMode::Private;
wknet::http::CacheCreate(&cacheOptions, &cache);
config.Cache = cache;
wknet::http::Session* session = nullptr;
wknet::http::SessionCreate(&config, &session);
// WebSocket
wknet::websocket::ConnectConfig cfg = wknet::websocket::DefaultConnectConfig();
cfg.Url = "wss://example.com/ws";
cfg.UrlLength = 18;
cfg.PerMessageDeflate.Enable = true;
wknet::websocket::WebSocket* ws = nullptr;
wknet::websocket::ConnectEx(session, &cfg, &ws);TLS 1.3 0-RTT (EnableEarlyData / EarlyDataReplaySafe) exists only on internal TLS connection options and is not mapped to TlsConfig / SendOptions, so the product HTTP API cannot enable it. HTTP/3 application-data 0-RTT is listed under “Not supported”.
The following behaviors are rejected by design. Rejection here is policy, not a missing implementation.
| Behavior | Handling |
|---|---|
Caller-written request Transfer-Encoding / TE
|
Rejected; the library owns framing |
HTTP br as Transfer-Encoding |
Rejected; br is Content-Encoding only |
HTTP/2 PUSH_PROMISE
|
Protocol error |
| Unrequested/invalid WebSocket extensions | Rejected |
| Auto-follow WS handshake redirect / 401 / 407 | STATUS_NOT_SUPPORTED |
| In-handshake TLS 1.3→1.2 automatic downgrade | Not done; only verified evidence allows explicit upper-layer reconnect |
| Cert matching: IP via dNSName/CN; DNS via CN fallback | Not done |
| Automatic HTTPS→HTTP redirect | Rejected by default |
| Online OCSP/CRL fetch | Library never initiates |
| Capability | Notes |
|---|---|
| HTTP server / inbound request parser | Client library; no server role |
| SSE server / POST-body SSE | Client GET event-stream only |
| On-disk persistent HTTP cache | In-memory NonPaged cache objects only |
| Local HTTP/2 priority-tree bandwidth scheduling | Not implemented |
| WebSocket extensions other than permessage-deflate | Not negotiated |
| Online revocation fetching | Library does not initiate OCSP/CRL network fetch |
| Streaming Content-Encoding on SSE/OnBody paths (gzip/br, …) | First release requires identity; architecture can grow |
| QUIC v2, H3 0-RTT application data, active migration, multipath, ECN, DPLPMTUD, WebTransport, QUIC Datagram, WebSocket over H3 | Not supported |
| WinHTTP / WinINet / SChannel as kernel main path | Not used |
| Separate client layer / second connection lifecycle | Not provided |
- Transport: WSK. TLS/HTTP/certificates: kernel-path implementations.
- Cryptography: CNG/BCrypt first; gaps filled by in-kernel software.
- Trust: callers explicitly supply anchors, CA bundles, revocation evidence, and pins; the library never hard-codes system CAs.
Direction summary: roadmap. For capability status, use this matrix.
-
开始使用 / Get Started
-
概念与行为 / Concepts
-
协议指南 / Protocols
-
API 参考 / API Reference
-
贡献与项目 / Contribute