IETF Logo Mail Archive

Re: Is the response header "Upgrade: h2" allowed when TLS is used?

Stefan Eissing <stefan.eissing@greenbytes.de> Wed, 20 April 2016 18:18 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 16CDE12EDE9 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Apr 2016 11:18:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.017
X-Spam-Level:
X-Spam-Status: No, score=-8.017 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=greenbytes.de header.b=YRUNra8z; dkim=pass (1024-bit key) header.d=greenbytes.de header.b=kaTn/sbS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BFClb_7Uh6jn for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Wed, 20 Apr 2016 11:18:01 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9112712E354 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Wed, 20 Apr 2016 11:17:52 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1aswdA-0003KJ-CI for ietf-http-wg-dist@listhub.w3.org; Wed, 20 Apr 2016 18:13:40 +0000
Resent-Date: Wed, 20 Apr 2016 18:13:40 +0000
Resent-Message-Id: <E1aswdA-0003KJ-CI@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <stefan.eissing@greenbytes.de>) id 1aswd7-0003Il-VA for ietf-http-wg@listhub.w3.org; Wed, 20 Apr 2016 18:13:37 +0000
Received: from mail.greenbytes.de ([5.10.171.186]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <stefan.eissing@greenbytes.de>) id 1aswd2-0005uz-0l for ietf-http-wg@w3.org; Wed, 20 Apr 2016 18:13:37 +0000
Received: by mail.greenbytes.de (Postfix, from userid 117) id 282BC15A101F; Wed, 20 Apr 2016 20:13:04 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=greenbytes.de; s=mail; t=1461175984; bh=Wlb1Aby0p2dCJxmBUMst1z1ApDnZbhDsd/UcpT4dJlo=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=YRUNra8zTH6CzecIeNtrzVkfWFX4y1zQjCJMg5wwKLFjDEsFKZQ8WBFLaaUofeV+D uzR5PjuOhIJM1Mysq9p+A9jKJHHFT4JIM+ysBmL4AXtpVqp5ZflUOxXufkegPQv0Zf pMX/8OdPXeBiy/O0FFDPWGZm2c/0FOY0nifE9ysk=
Received: from [192.168.178.41] (unknown [84.189.88.177]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mail.greenbytes.de (Postfix) with ESMTPSA id 17F8915A05CE; Wed, 20 Apr 2016 20:13:00 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=greenbytes.de; s=mail; t=1461175980; bh=Wlb1Aby0p2dCJxmBUMst1z1ApDnZbhDsd/UcpT4dJlo=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=kaTn/sbS2KmKfz1MmMMHvTF1P/ILgnYwxGZClumb/CAF9Ml4DB6yeq9cljkaxWR2J 0mNtItO39grdiT7mCFi8xTEYB123XAuFfP1Sej87Esspmjtn1XaqA4Ujeualm6Yj4E HQZ1Wt2g0/HVx/XVg1cXvM5dNJoA1VVSL567zDA0=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (1.0)
From: Stefan Eissing <stefan.eissing@greenbytes.de>
X-Mailer: iPhone Mail (13E238)
In-Reply-To: <CH1PR03MB1916A8F39DC30316E86C5C52876D0@CH1PR03MB1916.namprd03.prod.outlook.com>
Date: Wed, 20 Apr 2016 20:12:59 +0200
Cc: Michael Kaufmann <mail@michael-kaufmann.ch>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <A9057655-A780-4CC5-A5DD-11E117760194@greenbytes.de>
References: <20160419161634.Horde.7_VYZk5McZE4CAiQrQh-uXr@webmail.michael-kaufmann.ch> <7CF7F94CB496BF4FAB1676F375F9666A2A7CBD72@bgb01xud1012> <BE75D624-3A89-463A-B860-A2E83613C199@lukasa.co.uk> <5CBBE2E0-BA35-42B6-9E19-D658753D593B@greenbytes.de> <825033AC-9E67-4B81-84E6-FC5C67112037@lukasa.co.uk> <57165D31.5070604@treenet.co.nz> <20160419233014.Horde.pDb9tRgUZYP9jgWUZg3sUna@webmail.michael-kaufmann.ch> <CH1PR03MB1916F1E7699825ACC4D741AA876C0@CH1PR03MB1916.namprd03.prod.outlook.com> <91D281BC-F987-488B-AEEB-6F52EE7802AB@greenbytes.de> <CH1PR03MB1916A8F39DC30316E86C5C52876D0@CH1PR03MB1916.namprd03.prod.outlook.com>
To: Mike Bishop <Michael.Bishop@microsoft.com>
Received-SPF: pass client-ip=5.10.171.186; envelope-from=stefan.eissing@greenbytes.de; helo=mail.greenbytes.de
X-W3C-Hub-Spam-Status: No, score=-5.0
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1aswd2-0005uz-0l 81fe57ddb58aabf61314586e0e2972da
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Is the response header "Upgrade: h2" allowed when TLS is used?
Archived-At: <http://www.w3.org/mid/A9057655-A780-4CC5-A5DD-11E117760194@greenbytes.de>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31524
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Thanks, Mike. I do not want to fight windmills. It is more an itch that our implementation reads a bit quirky in this case and cohesion ist lost. But you are right: it is what it is. 

> Am 20.04.2016 um 19:01 schrieb Mike Bishop <Michael.Bishop@microsoft.com>:
> 
> I agree with you that using different tokens for the same protocol is a bit silly -- when are we discussing a protocol at one layer versus when are we discussing a stack of protocols?  But that's the way the RFC fell.  
> 
> -----Original Message-----
> From: Stefan Eissing [mailto:stefan.eissing@greenbytes.de] 
> Sent: Wednesday, April 20, 2016 2:46 AM
> To: Mike Bishop <Michael.Bishop@microsoft.com>
> Cc: Michael Kaufmann <mail@michael-kaufmann.ch>; ietf-http-wg@w3.org
> Subject: Re: Is the response header "Upgrade: h2" allowed when TLS is used?
> 
> If backport gets the votes, next Apache httpd release will no longer carry h2 in an Upgrade: announcement. Thanks for your time.
> 
> -Stefan
> 
> PS. Which still does not make sense to me, but seems to be what the specification says...
> 
>> Am 19.04.2016 um 23:47 schrieb Mike Bishop <Michael.Bishop@microsoft.com>:
>> 
>> That would seem reasonable.  Hypothetically, a server could attempt RFC 2817-style Upgrade to TLS and then select "h2" as the ALPN token during the TLS handshake.  A logical flow for carrying the initial request into the h2 context would look a lot like that for h2c -- stream 1 is half-closed and already "contains" the client's initial request.  However, that still wouldn't use an "h2" Upgrade token and isn't actually defined anywhere.
>> 
>> "Upgrade: h2c" or offer Alt-Svc if you want to switch to HTTP/2 on a different, encrypted connection.
>> 
>> -----Original Message-----
>> From: Michael Kaufmann [mailto:mail@michael-kaufmann.ch]
>> Sent: Tuesday, April 19, 2016 2:30 PM
>> To: ietf-http-wg@w3.org
>> Subject: Re: Is the response header "Upgrade: h2" allowed when TLS is used?
>> 
>> Zitat von Amos Jeffries <squid3@treenet.co.nz>:
>> 
>>>> On 20/04/2016 4:07 a.m., Cory Benfield wrote:
>>>> 
>>>> Heh, I missed that. With that note, then, I’d say that Apache should 
>>>> stop putting h2 in the Upgrade header on a TLS-using connection
>>>> *unless* it believes that connection is for a HTTP-schemed URL, when 
>>>> it should put h2c.
>>>> 
>>>> Cory
>>> 
>>> 
>>> I think you are all overlooking the basic details:
>>> 
>>> * RFC 7540 does not govern HTTP/1.1 connections, even TLS ones.
>>> 
>>> * RFC 7540 section 3.2 is about negotiating http:// URLs over non-TLS 
>>> connections.
>>> 
>>> 
>>> When the client has negotiated for HTTP/1.1 over TLS to happen (aka 
>>> HTTPS). It is appropriate to Upgrade:h2. Since RFC 723x applies.
>>> 
>>> 
>>> But when the client negotiates h2c to happen. It is forbidden from 
>>> using
>>> Upgrade:h2 to get to h2. Avoiding the issues Upgrade would have with 
>>> only one-way encryption for the message pair.
>>> 
>>> Note that h2c is also forbidden from being used in ALPN by section 3.3.
>>> So there is no valid way to be using TLS for h2c in the first place.
>>> 
>>> If one is already using h2 it is pointless to Upgrade:h2.
>> 
>> I have just realized that RFC 7540 registers the "h2c" upgrade token 
>> (section 11.8) but it does NOT register an "h2" upgrade token. (it 
>> also registers the identification strings "h2" and "h2c" for ALPN in 
>> section 11.1, but that is a different thing)
>> 
>> The upgrade token "h2" probably does not exist according to the RFCs.  
>> It is also not mentioned here:  
>> http://www.iana.org/assignments/http-upgrade-tokens/http-upgrade-token
>> s.xhtml
>> 
>> So when using TLS, servers should not send "Upgrade: h2" because "h2"  
>> is an undefined upgrade token. And also when using TLS, servers should not send "Upgrade: h2c" because h2c means "HTTP/2 using cleartext TCP", and a connection that uses TLS cannot be "upgraded" to a connection that does not use TLS.
>> 
>> Do you agree...?
>> 
>> Regards,
>> Michael
>

v2.23.0 | Report a Bug | By Email