This is an automated email from the ASF dual-hosted git repository.
cmcfarlen pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new ca66fd6889 Disable h2 prior knowledge on tls (#11881)
ca66fd6889 is described below
commit ca66fd68890da10e39d31a49ef5e09fad072afaf
Author: Masakazu Kitajo <[email protected]>
AuthorDate: Wed Jan 22 16:32:50 2025 -0700
Disable h2 prior knowledge on tls (#11881)
* Don't allow using HTTP/2 prior knowledge on TLS connections
* Update debug log message
* Use ALPN on autest tls_0rtt_server
* Add a comment
(cherry picked from commit 5c0b0399d14d17885c295906136aa023f1fc4a0a)
---
src/proxy/ProtocolProbeSessionAccept.cc | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/src/proxy/ProtocolProbeSessionAccept.cc
b/src/proxy/ProtocolProbeSessionAccept.cc
index 8f76c95a1c..ec50a5369f 100644
--- a/src/proxy/ProtocolProbeSessionAccept.cc
+++ b/src/proxy/ProtocolProbeSessionAccept.cc
@@ -136,7 +136,13 @@ struct ProtocolProbeTrampoline : public Continuation,
public ProtocolProbeSessio
} // end of Proxy Protocol processing
if (proto_is_http2(reader)) {
- key = PROTO_HTTP2;
+ if (netvc->get_service<TLSBasicSupport>() == nullptr) {
+ key = PROTO_HTTP2;
+ } else {
+ // RFC 9113 Section 3.3: Prior knowledge is only permissible for
HTTP/2 over plaintext (non-TLS) connections.
+ Dbg(dbg_ctl_http, "HTTP/2 prior knowledge was used on a TLS connection
(protocol violation). Selecting HTTP/1 instead.");
+ key = PROTO_HTTP;
+ }
} else {
key = PROTO_HTTP;
}
