IETF Logo Mail Archive

Re: Is the response header "Upgrade: h2" allowed when TLS is used?

Cory Benfield <cory@lukasa.co.uk> Tue, 19 April 2016 16:22 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A247312EAB4 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Apr 2016 09:22:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.917
X-Spam-Level:
X-Spam-Status: No, score=-7.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lukasa-co-uk.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dKZ-0aHU6G2E for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Apr 2016 09:22:22 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6266E12EA56 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 19 Apr 2016 09:22:21 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1asYLg-0008S9-Jc for ietf-http-wg-dist@listhub.w3.org; Tue, 19 Apr 2016 16:18:00 +0000
Resent-Date: Tue, 19 Apr 2016 16:18:00 +0000
Resent-Message-Id: <E1asYLg-0008S9-Jc@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <cory@lukasa.co.uk>) id 1asYLd-0008QD-5z for ietf-http-wg@listhub.w3.org; Tue, 19 Apr 2016 16:17:57 +0000
Received: from mail-wm0-f48.google.com ([74.125.82.48]) by lisa.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <cory@lukasa.co.uk>) id 1asYLb-0001vu-Mc for ietf-http-wg@w3.org; Tue, 19 Apr 2016 16:17:56 +0000
Received: by mail-wm0-f48.google.com with SMTP id l6so29346451wml.1 for <ietf-http-wg@w3.org>; Tue, 19 Apr 2016 09:17:35 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lukasa-co-uk.20150623.gappssmtp.com; s=20150623; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=+3kUoas3LxWin1SnPlTfv9U0xa1if2Z9r6QOev5kgYw=; b=XX5GTWULYr/wxxZdrEv7qS/HgEXHLwELoOOVkNDw36fzd4CyJK6qW3riF3Hi/pJNQb G0qbvctbsfll1cp2n1AGOtWxGNW62EqkajN2CZtpnjKCkMqaRXh5YcG1RnNy1OlRALaA rsN2VXkLg4mfu8pOFv8pUPN9hZwhTwjmB853UsZtsQUH9Jjo3fWY4e3Dm0I9GuQG7Wc2 HJQMr09OdSc9+7dSOjnZcjEJL3fckJc4aJnLcuUYwWIo4uZcmdZLo8qHScjWAGiBP6XN /O+eSh5PWU2SBVzSXTukXcKCwtTTNJ8Yr97rae5Kaqq4kDQrrViMADH29avezQZAR8/2 Oz2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=+3kUoas3LxWin1SnPlTfv9U0xa1if2Z9r6QOev5kgYw=; b=UUQyCwqnvmd1OxfbTW1SGFeSUvEJrrpeTBKhv8W3hfRvKLqczt8rtZwZUKXSEvMOPH u8jttnEPxSeZSDzSWr8WnZBbu61X2vSspDWE4m6XLtzrXuACCEwydMMx3y/KLGXfNFar s8I1Miq6ZCfIGnJnRxW+qqZGiWYhfhNyJHjFUkM5qhcg78UjZygkQOKa2zPnQE7xj7hc WO1v2X9LFgaFVGeQDbOQFlVO3Eh1bXGf2hhH1EaGiOGdbz9/8NOouOPZcbLydr0bKt45 dHiOI/xRkKOdBll5D1XEkorVZR+1yaPRLqI2BZHiE/VOH2hcZC7GBkDQdIDpMoyx2Crl O+eQ==
X-Gm-Message-State: AOPr4FVprwoIny7XfwDB+gQvSm9iImyRFQIDeh41JmxVnTHuXsd9MZRlVtcdarAt2BQlIA==
X-Received: by 10.194.134.3 with SMTP id pg3mr3982578wjb.141.1461082649015; Tue, 19 Apr 2016 09:17:29 -0700 (PDT)
Received: from [192.168.1.6] (41.65.125.91.dyn.plus.net. [91.125.65.41]) by smtp.gmail.com with ESMTPSA id t4sm5097046wmf.8.2016.04.19.09.17.28 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 19 Apr 2016 09:17:28 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_560402F3-45F6-41B3-B4BC-7570FE991E8E"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.6b2
From: Cory Benfield <cory@lukasa.co.uk>
In-Reply-To: <825033AC-9E67-4B81-84E6-FC5C67112037@lukasa.co.uk>
Date: Tue, 19 Apr 2016 17:17:27 +0100
Cc: Lucas Pardue <Lucas.Pardue@bbc.co.uk>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <23E1D88A-8F3F-44D6-A123-4F420696B81A@lukasa.co.uk>
References: <20160419161634.Horde.7_VYZk5McZE4CAiQrQh-uXr@webmail.michael-kaufmann.ch> <7CF7F94CB496BF4FAB1676F375F9666A2A7CBD72@bgb01xud1012> <BE75D624-3A89-463A-B860-A2E83613C199@lukasa.co.uk> <5CBBE2E0-BA35-42B6-9E19-D658753D593B@greenbytes.de> <825033AC-9E67-4B81-84E6-FC5C67112037@lukasa.co.uk>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=74.125.82.48; envelope-from=cory@lukasa.co.uk; helo=mail-wm0-f48.google.com
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: lisa.w3.org 1asYLb-0001vu-Mc f5388385a8c9883479c6db8a1f26e946
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Is the response header "Upgrade: h2" allowed when TLS is used?
Archived-At: <http://www.w3.org/mid/23E1D88A-8F3F-44D6-A123-4F420696B81A@lukasa.co.uk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31511
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> On 19 Apr 2016, at 17:07, Cory Benfield <cory@lukasa.co.uk> wrote:
> 
> Heh, I missed that. With that note, then, I’d say that Apache should stop putting h2 in the Upgrade header on a TLS-using connection *unless* it believes that connection is for a HTTP-schemed URL, when it should put h2c.


Sorry, even that’s not right, as Section 3.3 states:

> the "h2c" protocol identifier describes a protocol that does not use TLS.

I’d say that while RFC 7540 doesn’t *explicitly* have any normative language that says you can’t do this, it has statements that “h2c” is only for cleartext, that HTTP/2 over TLS uses “h2”, and that you can’t put “h2” in an upgrade header (only the last is normative). To me, that seems to add up to “no Upgrade header in TLS”.

Cory

v2.23.0 | Report a Bug | By Email