Changeset 346c03b in mod_gnutls


Ignore:
Timestamp:
Jan 15, 2020, 3:44:53 AM (3 months ago)
Author:
Fiona Klute <fiona.klute@…>
Branches:
master
Children:
0dc1a31
Parents:
407ca6e
git-author:
Fiona Klute <fiona.klute@…> (01/15/20 02:42:10)
git-committer:
Fiona Klute <fiona.klute@…> (01/15/20 03:44:53)
Message:

Prohibit TLS renegotiation for HTTP/2 connections (RFC 7540, section 9.2.1)

File:
1 edited

Legend:

Unmodified
Added
Removed
  • src/gnutls_hooks.c

    r407ca6e r346c03b  
    5858 * Extension (status_request, defined in RFC 6066) */
    5959#define TLSFEATURE_MUST_STAPLE 5
     60
     61/**
     62 * Request protocol string for HTTP/2, as hard-coded in mod_http2
     63 * h2_request.c.
     64 */
     65#define HTTP2_PROTOCOL "HTTP/2.0"
     66
     67/**
     68 * mod_http2 checks this note, set it to signal that a request would
     69 * require renegotiation/reauth, which isn't allowed under HTTP/2. The
     70 * content of the note is expected to be a string giving the reason
     71 * renegotiation would be needed.
     72 *
     73 * See: https://tools.ietf.org/html/rfc7540#section-9.2.1
     74 */
     75#define RENEGOTIATE_FORBIDDEN_NOTE "ssl-renegotiate-forbidden"
    6076
    6177/** Key to encrypt session tickets. Must be kept secret. This key is
     
    14461462                return rv;
    14471463
     1464            if (strcmp(r->protocol, HTTP2_PROTOCOL) == 0)
     1465            {
     1466                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
     1467                              "Rehandshake is prohibited for HTTP/2 "
     1468                              "(RFC 7540, section 9.2.1).");
     1469                apr_table_setn(r->notes, RENEGOTIATE_FORBIDDEN_NOTE,
     1470                               "verify-client");
     1471                return HTTP_FORBIDDEN;
     1472            }
     1473
    14481474            gnutls_certificate_server_set_request
    14491475                    (ctxt->session, dc->client_verify_mode);
Note: See TracChangeset for help on using the changeset viewer.