Changeset 346c03b in mod_gnutls

Timestamp:

Jan 15, 2020, 3:44:53 AM (3 months ago)

Author:

Fiona Klute <fiona.klute@…>

Branches:

master

Children:

0dc1a31

Parents:

407ca6e

git-author:

Fiona Klute <fiona.klute@…> (01/15/20 02:42:10)

git-committer:

Fiona Klute <fiona.klute@…> (01/15/20 03:44:53)

Message:

Prohibit TLS renegotiation for HTTP/2 connections (RFC 7540, section 9.2.1)

File:

• src/gnutls_hooks.c (modified) (2 diffs)

src/gnutls_hooks.c

@@ -58 +58 @@
  * Extension (status_request, defined in RFC 6066) */
 #define TLSFEATURE_MUST_STAPLE 5
+
+/**
+ * Request protocol string for HTTP/2, as hard-coded in mod_http2
+ * h2_request.c.
+ */
+#define HTTP2_PROTOCOL "HTTP/2.0"
+
+/**
+ * mod_http2 checks this note, set it to signal that a request would
+ * require renegotiation/reauth, which isn't allowed under HTTP/2. The
+ * content of the note is expected to be a string giving the reason
+ * renegotiation would be needed.
+ *
+ * See: https://tools.ietf.org/html/rfc7540#section-9.2.1
+ */
+#define RENEGOTIATE_FORBIDDEN_NOTE "ssl-renegotiate-forbidden"
 
 /** Key to encrypt session tickets. Must be kept secret. This key is
@@ -1446 +1462 @@
                 return rv;
 
+            if (strcmp(r->protocol, HTTP2_PROTOCOL) == 0)
+            {
+                ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
+                              "Rehandshake is prohibited for HTTP/2 "
+                              "(RFC 7540, section 9.2.1).");
+                apr_table_setn(r->notes, RENEGOTIATE_FORBIDDEN_NOTE,
+                               "verify-client");
+                return HTTP_FORBIDDEN;
+            }
+
             gnutls_certificate_server_set_request
                     (ctxt->session, dc->client_verify_mode);