Skip to content

Capability Matrix

x500x edited this page Jun 18, 2026 · 9 revisions

能力边界 / Capability Matrix

English | 简体中文

KernelHttp 以 Windows kernel 主路径实现协议能力:传输层优先 WSK,密码学优先 CNG/BCrypt,不依赖 WinHTTP、WinINet 或 SChannel。默认启用能力显式兼容能力分开记录。


简体中文

协议能力边界

协议 已支持能力 当前边界
HTTP/1.1 Content-Length、显式 chunked 请求体、响应 Transfer-Encoding 链(chunked/gzip/deflate/compress)、close-delimited 响应、HEAD/101/无 body 状态码、中间 1xx 跳过、chunked trailer 语法/禁止字段校验与只读 API 暴露、RFC 3986 相对 redirect 解析 用户设置请求 Transfer-Encoding 会被拒绝;request trailer 暂不支持;不提供入站 request parser/server role;HTTP proxy/CONNECT/TRACE 不在主路径;Range/条件请求仅作为普通 header 透传;Accept-Encoding 不承诺完整 qvalue/content negotiation;br 仅作为 Content-Encoding 支持
HTTP/2 TLS ALPN、h2c prior knowledge / Upgrade、SETTINGS、HEADERS/CONTINUATION、DATA、PING、GOAWAY、WINDOW_UPDATE、HPACK、header block 语义校验、HPACK header-list/table-size 限制 不支持 RFC 8441 WebSocket over HTTP/2、server push、priority 和完整多流调度;禁用的 PUSH_PROMISE 视为协议错误;缺失 SETTINGS ACK 以 SETTINGS_TIMEOUT 关闭;收到 GOAWAY 终止当前单请求连接语义
WebSocket ws/wss 握手、文本/二进制发送、空消息、控制帧校验、公开 Ping/Pong/CloseEx、selected subprotocol 查询、默认接收完整消息 主路径是 HTTP/1.1 Upgrade;不支持自定义 opening handshake headers、扩展协商和接收分片回调;主动 close 发送 close frame 后关闭 transport,收到 peer close 时 echo 后关闭
TLS TLS 1.2/1.3、TLS 1.3 全部标准 cipher suite、TLS 1.2 ECDHE/DHE/RSA key exchange、AES-GCM/AES-CBC/ChaCha20-Poly1305、X25519/X448/NIST P curves/FFDHE、RSA-PSS/RSA-PKCS1/ECDSA/EdDSA、SNI、ALPN、PSK/session ticket、0-RTT 显式 opt-in、KeyUpdate、record padding、客户端证书、OCSP stapling 解析、证书链重排和校验、Name Constraints、certificatePolicies、IDNA、OCSP/CRL 撤销缓存、SPKI pin 默认策略不启用 TLS 1.2 RSA key exchange、CBC 或 renegotiation;仅在 TlsSecurityProfile::CompatibilityExplicit 且相应开关显式开启时可用。库层不硬编码系统 CA;在线撤销获取由调用侧提供有界输入或缓存

未实现 optional 能力

能力 当前处理
WebSocket extensions(如 permessage-deflate) 非目标,服务端返回未请求扩展时拒绝
WebSocket over HTTP/2 RFC 8441 延期,不协商 extended CONNECT
WebSocket 自定义 opening headers 延期;需单独 header validation 和敏感头策略
WebSocket 主动 close handshake 简化语义:发送 close frame 后关闭 transport
WebSocket 接收分片回调 默认聚合为完整消息
HTTP 代理 / CONNECT / TRACE 不在内核客户端主路径内
HTTP 入站 request parser / server role 非目标,本项目为客户端协议栈
HTTP request trailer chunked 上传不携带 request trailer
HTTP/2 full multiplexing / server push / priority 不提供完整多流调度;禁用 push
RFC 9111 cache / Range / conditional request 仅普通透传,不合并或验证语义
Accept-Encoding qvalue/content negotiation 仅默认 decoder 子集
TLS 1.2 RSA key exchange / CBC / renegotiation 已实现但默认关闭,需 CompatibilityExplicit
TLS 1.3 0-RTT 已实现但默认关闭,需显式声明 replay-safe
在线 OCSP/CRL 抓取 库层不主动发起;由调用方提供数据或缓存

关键默认行为

  • Redirect:默认拒绝 HTTPS→HTTP 降级;跨 scheme/host/port 时清理 AuthorizationCookieProxy-Authorization;301/302 默认把 POST 改写为 GET,303 除 HEAD 外改写为 GET,307/308 保留方法和 body。
  • Stale 连接重试:reused stale 连接失败只对 GET/HEAD/OPTIONS 等安全/幂等请求自动 fresh retry;POST/PUT/PATCH/DELETE 不会自动重放。
  • 连接池:close-delimited HTTP/1.x 响应和 101 Switching Protocols 升级响应不回到普通连接池。
  • IRQL:同步 HTTP、WebSocket、TLS 和证书验证路径要求在 PASSIVE_LEVEL 调用。
  • TLS 版本协商:ALPN 结果必须来自客户端 offer 列表;TLS1.2 选择只有在 TLS1.3 路径取得可验证版本协商证据后才允许,不能把证书错误、ALPN mismatch、超时或解密失败当作 TLS1.2-only 结论。
  • 证书主机校验:IP literal 只匹配 iPAddress SAN,不回退到 dNSName 或 CN。

English

Protocol capability boundaries

Protocol Supported Current boundary
HTTP/1.1 Content-Length, explicit chunked request bodies, response Transfer-Encoding chains (chunked/gzip/deflate/compress), close-delimited responses, HEAD/101/no-body status codes, intermediate 1xx skipping, chunked trailer syntax/forbidden-field validation with read-only API, RFC 3986 relative redirect resolution User-supplied request Transfer-Encoding is rejected; request trailers unsupported; no inbound parser/server role; HTTP proxy/CONNECT/TRACE outside main path; Range/conditional requests are pass-through headers; Accept-Encoding is not full qvalue negotiation; br only as Content-Encoding
HTTP/2 TLS ALPN, h2c prior knowledge / Upgrade, SETTINGS, HEADERS/CONTINUATION, DATA, PING, GOAWAY, WINDOW_UPDATE, HPACK, header-block validation, HPACK list/table-size limits No RFC 8441 WebSocket over HTTP/2, server push, priority, or full multiplexing; disabled PUSH_PROMISE is a protocol error; missing SETTINGS ACK closes with SETTINGS_TIMEOUT; GOAWAY terminates the single-request connection
WebSocket ws/wss handshake, text/binary send, empty messages, control-frame validation, public Ping/Pong/CloseEx, selected subprotocol query, complete-message receive Main path is HTTP/1.1 Upgrade; no custom opening headers, extension negotiation, or fragment callbacks; active close sends a close frame then closes transport, peer close is echoed before closing
TLS TLS 1.2/1.3, all standard TLS 1.3 cipher suites, TLS 1.2 ECDHE/DHE/RSA key exchange, AES-GCM/AES-CBC/ChaCha20-Poly1305, X25519/X448/NIST P/FFDHE, RSA-PSS/RSA-PKCS1/ECDSA/EdDSA, SNI, ALPN, PSK/session ticket, opt-in 0-RTT, KeyUpdate, record padding, client certs, OCSP stapling parse, chain reorder/validate, Name Constraints, certificatePolicies, IDNA, OCSP/CRL cache, SPKI pin Default policy disables TLS 1.2 RSA key exchange, CBC, renegotiation; available only with TlsSecurityProfile::CompatibilityExplicit plus matching option. No hard-coded system CA; online revocation input is caller-provided or cached

Key default behaviors

  • Redirects: reject HTTPS→HTTP downgrade by default; strip Authorization/Cookie/Proxy-Authorization across scheme/host/port; 301/302 rewrite POST→GET, 303 rewrites all but HEAD to GET, 307/308 preserve method and body.
  • Stale retry: reused stale-connection failures retry fresh only for safe/idempotent GET/HEAD/OPTIONS; POST/PUT/PATCH/DELETE are never auto-replayed.
  • Pool: close-delimited HTTP/1.x and 101 Switching Protocols upgrades do not return to the normal pool.
  • IRQL: synchronous HTTP, WebSocket, TLS, and certificate validation require PASSIVE_LEVEL.
  • TLS version negotiation: ALPN results must come from the client offer list; TLS1.2 selection requires verified version-negotiation evidence — cert errors, ALPN mismatch, timeout, or decryption failure are not TLS1.2-only evidence.
  • Host validation: IP literals match only iPAddress SAN entries, with no fallback to dNSName or CN.

Clone this wiki locally