IETF Logo Mail Archive

RE: Is the response header "Upgrade: h2" allowed when TLS is used?

Mike Bishop <Michael.Bishop@microsoft.com> Wed, 20 April 2016 17:06 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 39DAC12E1CC for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Apr 2016 10:06:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.017
X-Spam-Level:
X-Spam-Status: No, score=-8.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zokOdwdvPXhv for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Apr 2016 10:06:12 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE26612E157 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 20 Apr 2016 10:06:12 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1asvVg-000538-VA for ietf-http-wg-dist@listhub.w3.org; Wed, 20 Apr 2016 17:01:53 +0000
Resent-Date: Wed, 20 Apr 2016 17:01:52 +0000
Resent-Message-Id: <E1asvVg-000538-VA@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1asvVZ-00052M-2B for ietf-http-wg@listhub.w3.org; Wed, 20 Apr 2016 17:01:45 +0000
Received: from mail-bn1bon0144.outbound.protection.outlook.com ([157.56.111.144] helo=na01-bn1-obe.outbound.protection.outlook.com) by lisa.w3.org with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <Michael.Bishop@microsoft.com>) id 1asvVP-00041O-8B for ietf-http-wg@w3.org; Wed, 20 Apr 2016 17:01:44 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=1ulYVeJ4oGIdkXg6m2OpnFulqFcQd/an6kvEA0lmsDw=; b=LlAudq9ISsWcWb1DsZgYey4PWBdj+41OWLt2FjvstDIkJ9kpUh210Wy+wWKqpWJ2zynQuNmlWYwFAlnYQ8kxVqgwK3ehb1mLbGOuxqTri1vrtpUj5l7IpiWW44pmPt1T4wNKxXjzDauRs+UXTLJSsd7HFMiOX5hNM1mpg6nY9m8=
Received: from CH1PR03MB1916.namprd03.prod.outlook.com (10.164.115.156) by CH1PR03MB1915.namprd03.prod.outlook.com (10.164.115.155) with Microsoft SMTP Server (TLS) id 15.1.466.19; Wed, 20 Apr 2016 17:01:08 +0000
Received: from CH1PR03MB1916.namprd03.prod.outlook.com ([10.164.115.156]) by CH1PR03MB1916.namprd03.prod.outlook.com ([10.164.115.156]) with mapi id 15.01.0453.029; Wed, 20 Apr 2016 17:01:08 +0000
From: Mike Bishop <Michael.Bishop@microsoft.com>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
CC: Michael Kaufmann <mail@michael-kaufmann.ch>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Is the response header "Upgrade: h2" allowed when TLS is used?
Thread-Index: AQHRmkbn7rfCj3mJ2UGl5DAxJwBuoJ+RaEaAgAAD0ACAAAoBAIAAAJyAgAAGX4CAAFOxAIAAAt0ggADKlYCAAHkicA==
Date: Wed, 20 Apr 2016 17:01:08 +0000
Message-ID: <CH1PR03MB1916A8F39DC30316E86C5C52876D0@CH1PR03MB1916.namprd03.prod.outlook.com>
References: <20160419161634.Horde.7_VYZk5McZE4CAiQrQh-uXr@webmail.michael-kaufmann.ch> <7CF7F94CB496BF4FAB1676F375F9666A2A7CBD72@bgb01xud1012> <BE75D624-3A89-463A-B860-A2E83613C199@lukasa.co.uk> <5CBBE2E0-BA35-42B6-9E19-D658753D593B@greenbytes.de> <825033AC-9E67-4B81-84E6-FC5C67112037@lukasa.co.uk> <57165D31.5070604@treenet.co.nz> <20160419233014.Horde.pDb9tRgUZYP9jgWUZg3sUna@webmail.michael-kaufmann.ch> <CH1PR03MB1916F1E7699825ACC4D741AA876C0@CH1PR03MB1916.namprd03.prod.outlook.com> <91D281BC-F987-488B-AEEB-6F52EE7802AB@greenbytes.de>
In-Reply-To: <91D281BC-F987-488B-AEEB-6F52EE7802AB@greenbytes.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: greenbytes.de; dkim=none (message not signed) header.d=none;greenbytes.de; dmarc=none action=none header.from=microsoft.com;
x-originating-ip: [2001:4898:80e8:6::736]
x-ms-office365-filtering-correlation-id: c7eacd65-33d1-495c-05d0-08d3693d5e2f
x-microsoft-exchange-diagnostics: 1; CH1PR03MB1915; 5:BkfYEuCBRtPoVIAdDWNfm0wbwARwnSx5lfQOeANqWoqcg/W/aLGMo9895SxkcvEVG0CaWt7TMP5flxt3O317dU0DRhs5KtvoBR5NewNb+iVFGenHFJae5OvuV/ZsM2G78oLQxw7zNcyjVmR96WVFr2fN+RAS7FL/bfk7xdd3FoHQruBTiLXxrxO+Yp03r/v1; 24:1ksIn83bksC1JkLwQJ/Yv30m+aBahPqmZmZ21vs/VBdzQpI4KumZx/xNgHqd8VFhbxAao9hG8mbAmd0UPCd20EIHTwGOpQEvBeyNh50G+0E=; 7:B8ju2Tsn94zuIdez3KCd0EkG8OMUWMvkE+TOfvXMKdb2byZE7JY5IQRb4K3/VrMeRqd9hBcnMup3wCgyYidib4DAW8G3tMzr8nvizoZGIZOCEVA0mdYgYO8PIS6n56eu/Oi68bPi4iCCFRffH8jq3MkeZ7FoPMBQkcQijc32VsKz4C5mD0fG9ehcUFfT8FpZ0xeUjRywUqhsUwhscK/lRYu6E9NwD3Zp6f5tMyojNMWyDg0Bc++2zsHeVRsBoeXl
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CH1PR03MB1915;
x-microsoft-antispam-prvs: <CH1PR03MB19154F84693485C53DB6A77A876D0@CH1PR03MB1915.namprd03.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(9101521026)(61425038)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:CH1PR03MB1915; BCL:0; PCL:0; RULEID:; SRVR:CH1PR03MB1915;
x-forefront-prvs: 0918748D70
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(13464003)(24454002)(377454003)(5003600100002)(10400500002)(10090500001)(5005710100001)(10290500002)(93886004)(87936001)(33656002)(76576001)(5004730100002)(11100500001)(122556002)(99286002)(106116001)(8990500004)(19580395003)(74316001)(2950100001)(2900100001)(102836003)(586003)(19580405001)(4326007)(50986999)(77096005)(110136002)(86362001)(1720100001)(54356999)(5008740100001)(81166005)(1220700001)(6116002)(1096002)(189998001)(76176999)(3660700001)(92566002)(3280700002)(5002640100001)(86612001)(9686002)(15975445007)(2906002); DIR:OUT; SFP:1102; SCL:1; SRVR:CH1PR03MB1915; H:CH1PR03MB1916.namprd03.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Apr 2016 17:01:08.1714 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH1PR03MB1915
Received-SPF: pass client-ip=157.56.111.144; envelope-from=Michael.Bishop@microsoft.com; helo=na01-bn1-obe.outbound.protection.outlook.com
X-W3C-Hub-Spam-Status: No, score=-3.9
X-W3C-Hub-Spam-Report: AWL=-2.436, BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: lisa.w3.org 1asvVP-00041O-8B 136c5233a401199e1980363dd439a142
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Is the response header "Upgrade: h2" allowed when TLS is used?
Archived-At: <http://www.w3.org/mid/CH1PR03MB1916A8F39DC30316E86C5C52876D0@CH1PR03MB1916.namprd03.prod.outlook.com>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31523
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

I agree with you that using different tokens for the same protocol is a bit silly -- when are we discussing a protocol at one layer versus when are we discussing a stack of protocols?  But that's the way the RFC fell.  

-----Original Message-----
From: Stefan Eissing [mailto:stefan.eissing@greenbytes.de] 
Sent: Wednesday, April 20, 2016 2:46 AM
To: Mike Bishop <Michael.Bishop@microsoft.com>
Cc: Michael Kaufmann <mail@michael-kaufmann.ch>; ietf-http-wg@w3.org
Subject: Re: Is the response header "Upgrade: h2" allowed when TLS is used?

If backport gets the votes, next Apache httpd release will no longer carry h2 in an Upgrade: announcement. Thanks for your time.

-Stefan

PS. Which still does not make sense to me, but seems to be what the specification says...

> Am 19.04.2016 um 23:47 schrieb Mike Bishop <Michael.Bishop@microsoft.com>:
> 
> That would seem reasonable.  Hypothetically, a server could attempt RFC 2817-style Upgrade to TLS and then select "h2" as the ALPN token during the TLS handshake.  A logical flow for carrying the initial request into the h2 context would look a lot like that for h2c -- stream 1 is half-closed and already "contains" the client's initial request.  However, that still wouldn't use an "h2" Upgrade token and isn't actually defined anywhere.
> 
> "Upgrade: h2c" or offer Alt-Svc if you want to switch to HTTP/2 on a different, encrypted connection.
> 
> -----Original Message-----
> From: Michael Kaufmann [mailto:mail@michael-kaufmann.ch]
> Sent: Tuesday, April 19, 2016 2:30 PM
> To: ietf-http-wg@w3.org
> Subject: Re: Is the response header "Upgrade: h2" allowed when TLS is used?
> 
> Zitat von Amos Jeffries <squid3@treenet.co.nz>:
> 
>> On 20/04/2016 4:07 a.m., Cory Benfield wrote:
>>> 
>>> Heh, I missed that. With that note, then, I’d say that Apache should 
>>> stop putting h2 in the Upgrade header on a TLS-using connection
>>> *unless* it believes that connection is for a HTTP-schemed URL, when 
>>> it should put h2c.
>>> 
>>> Cory
>>> 
>> 
>> 
>> I think you are all overlooking the basic details:
>> 
>> * RFC 7540 does not govern HTTP/1.1 connections, even TLS ones.
>> 
>> * RFC 7540 section 3.2 is about negotiating http:// URLs over non-TLS 
>> connections.
>> 
>> 
>> When the client has negotiated for HTTP/1.1 over TLS to happen (aka 
>> HTTPS). It is appropriate to Upgrade:h2. Since RFC 723x applies.
>> 
>> 
>> But when the client negotiates h2c to happen. It is forbidden from 
>> using
>> Upgrade:h2 to get to h2. Avoiding the issues Upgrade would have with 
>> only one-way encryption for the message pair.
>> 
>> Note that h2c is also forbidden from being used in ALPN by section 3.3.
>> So there is no valid way to be using TLS for h2c in the first place.
>> 
>> If one is already using h2 it is pointless to Upgrade:h2.
>> 
> 
> I have just realized that RFC 7540 registers the "h2c" upgrade token 
> (section 11.8) but it does NOT register an "h2" upgrade token. (it 
> also registers the identification strings "h2" and "h2c" for ALPN in 
> section 11.1, but that is a different thing)
> 
> The upgrade token "h2" probably does not exist according to the RFCs.  
> It is also not mentioned here:  
> http://www.iana.org/assignments/http-upgrade-tokens/http-upgrade-token
> s.xhtml
> 
> So when using TLS, servers should not send "Upgrade: h2" because "h2"  
> is an undefined upgrade token. And also when using TLS, servers should not send "Upgrade: h2c" because h2c means "HTTP/2 using cleartext TCP", and a connection that uses TLS cannot be "upgraded" to a connection that does not use TLS.
> 
> Do you agree...?
> 
> Regards,
> Michael
> 
>

v2.23.0 | Report a Bug | By Email