Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix HTTP/2 disablement #145

Merged
merged 1 commit into from
Nov 13, 2023
Merged

Fix HTTP/2 disablement #145

merged 1 commit into from
Nov 13, 2023

Conversation

cgoncalves
Copy link
Contributor

In commit 4371417 we disabled HTTP/2 by default as a remediation for CVE-2023-39325. An HTTP connection test using curl suggested at the time that the server only accepted HTTP/1.1 even though the client offered h2 and HTTP/1.1:

$ curl --http2 https://localhost:8443 2>&1 | grep -i alpn
* ALPN: offers h2,http/1.1
* ALPN: server accepted http/1.1

It so happens that the peers can still negotiate h2:

$ openssl s_client -connect localhost:8443 -alpn "h2"
[...]
ALPN protocol: h2
[...]

This commit fixes this issue, completely disabling HTTP/2 for good now:

$ for PROTO in h3 h2 http/1.1 http/1.0; do openssl s_client -connect localhost:8443 -alpn "${PROTO}" 2>/dev/null | grep -i alpn; done
No ALPN negotiated
No ALPN negotiated
ALPN protocol: http/1.1
No ALPN negotiate

@cgoncalves
Fix HTTP/2 disablement
789fe87 
In commit 4371417 we disabled HTTP/2 by default as a remediation for
CVE-2023-39325. An HTTP connection test using curl suggested at the time
that the server only accepted HTTP/1.1 even though the client offered h2
and HTTP/1.1:

    $ curl --http2 https://localhost:8443 2>&1 | grep -i alpn
    * ALPN: offers h2,http/1.1
    * ALPN: server accepted http/1.1

It so happens that the peers can still negotiate h2:

    $ openssl s_client -connect localhost:8443 -alpn "h2"
    [...]
    ALPN protocol: h2
    [...]

This commit fixes this issue, completely disabling HTTP/2 for good now:

    $ for PROTO in h3 h2 http/1.1 http/1.0; do openssl s_client -connect localhost:8443 -alpn "${PROTO}" 2>/dev/null | grep -i alpn; done
    No ALPN negotiated
    No ALPN negotiated
    ALPN protocol: http/1.1
    No ALPN negotiate

Signed-off-by: Carlos Goncalves <[email protected]>
zeeke
zeeke approved these changes Nov 3, 2023
View reviewed changes
Copy link
Member

@zeeke zeeke left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@cgoncalves
Copy link
Contributor Author

@adrianchiris please take a look.

@SchSeba SchSeba merged commit 6926642 into k8snetworkplumbingwg:master Nov 13, 2023
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adrianchiris adrianchiris adrianchiris approved these changes

@SchSeba SchSeba SchSeba approved these changes

@zeeke zeeke zeeke approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@cgoncalves @zeeke @SchSeba @adrianchiris