http2: Reject incompatible TLS ALPN handshakes #144
Conversation
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
|
Updated master from nodejs/node master. This will need a rebase |
sebdeckers
force-pushed
the
reject-non-h2-alpn
branch
from
2d4a8a2
to
2b9a433
Compare
|
@jasnell rebased 👍 |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
|
@mcollina @jasnell As per discussion in the outdated code review I've changed this to emit an error instead of silently destroying the connection. See b900d2d. This could be pretty annoying to users, I fear, since must listen for |
|
I do not think we should emit an error event. This is a very specific case, and we should be more diligent. So maybe we should use an "unknownProtocol" event passing the socket, and if there are no listeners, we silently drop. If there is a listener (check the return value of emit()), we do nothing and it would be up to the user to decide what they want to do with this. |
sebdeckers
force-pushed
the
reject-non-h2-alpn
branch
from
eb4a513
to
a7c376f
Compare
|
@jasnell Rebased and ready for review. Minor patch but introduces a new event as per above discussion. |
|
Still LGTM :). |
This comment was marked as off-topic.
This comment was marked as off-topic.
Sorry, something went wrong.
Emit `unknownProtocol` event or silently destroy the socket PR-URL: #144 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
|
Landed! |
Emit `unknownProtocol` event or silently destroy the socket PR-URL: nodejs#144 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Emit `unknownProtocol` event or silently destroy the socket PR-URL: nodejs#144 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Emit `unknownProtocol` event or silently destroy the socket PR-URL: nodejs#144 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
http/1.1in ALPN when the fallback is allowed.Note: The Node.js API does not seem to allow rejecting TLS handshakes at the ALPN-level (as described in RFC 7301 3.2). Therefore we do not differentiate between TLS clients that failed to match an ALPN protocol, and clients that simply do not support ALPN. In practice this should make little, if any, difference. Should consider adding strict ALPN negotiation as an option to Node.js core TLS though.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passesAffected core subsystem(s)
http2