From 2eefedb6318cf0ed52c7d62da18e892b78c2dbd0 Mon Sep 17 00:00:00 2001
From: Andrea Panattoni <apanatto@redhat.com>
Date: Fri, 20 Oct 2023 12:17:12 +0200
Subject: [PATCH] webhook: Disable HTTP2 by default

From docs: net/http/server.go

"[...] If TLSNextProto is not nil, HTTP/2 support
is not enabled automatically."
Server.TLSNextProto

Signed-off-by: Andrea Panattoni <apanatto@redhat.com>
---
 cmd/webhook/start.go | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/cmd/webhook/start.go b/cmd/webhook/start.go
index d1973d575..d400a51b3 100644
--- a/cmd/webhook/start.go
+++ b/cmd/webhook/start.go
@@ -17,9 +17,10 @@ import (
 )
 
 var (
-	certFile string
-	keyFile  string
-	port     int
+	certFile    string
+	keyFile     string
+	port        int
+	enableHTTP2 bool
 )
 
 var (
@@ -48,6 +49,7 @@ func init() {
 		"File containing the default x509 private key matching --tls-cert-file.")
 	startCmd.Flags().IntVar(&port, "port", 443,
 		"Secure port that the webhook listens on")
+	startCmd.Flags().BoolVar(&enableHTTP2, "enable-http2", false, "If HTTP/2 should be enabled for the metrics and webhook servers.")
 }
 
 // serve handles the http portion of a request prior to handing to an admit
@@ -152,6 +154,11 @@ func runStartCmd(cmd *cobra.Command, args []string) {
 			TLSConfig: &tls.Config{
 				GetCertificate: keyPair.GetCertificateFunc(),
 			},
+			// CVE-2023-39325 https://github.com/golang/go/issues/63417
+			TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)),
+		}
+		if enableHTTP2 {
+			server.TLSNextProto = nil
 		}
 		err := server.ListenAndServeTLS("", "")
 		if err != nil {