shinrich opened a new issue #7980: URL: https://github.com/apache/trafficserver/issues/7980
Internally we've been discussing the cross-application attacks discussed in https://alpaca-attack.com/ALPACA.pdf. And those discussions got us looking at how ATS handles ALPN. Currently ATS will try to find a matching protocol if the client offers an ALPN entry. If there is no match, ATS continues on and assumes HTTP/1.1. If no ALPN string is offered (presumably an older client), ATS continues on and assumes HTTP/1.1 Looking at a snapshot of one of our production boxes logs, we see 92% of the client connections offer ALPN. In this sample, no client requests that offered ALPN failed to get a protocol match with our ATS server which was willing to accept h2 and http/1.1. To support older clients (8% of our requests), it is not feasible to stop accepting requests without ALPN. However, we should stop accepting requests where the ALPN string has no match. Based on our logging, that seems unlikely to be an innocent mistake, but rather that the attacker is trying to poke at our security stance. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
