IETF Logo Mail Archive

Re: Is the response header "Upgrade: h2" allowed when TLS is used?

Michael Kaufmann <mail@michael-kaufmann.ch> Tue, 19 April 2016 21:35 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBFD412E7CD for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Apr 2016 14:35:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.917
X-Spam-Level:
X-Spam-Status: No, score=-7.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QagYAcl_adNw for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Apr 2016 14:35:24 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 232A712E7BF for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 19 Apr 2016 14:35:24 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1asdEQ-00075D-SJ for ietf-http-wg-dist@listhub.w3.org; Tue, 19 Apr 2016 21:30:50 +0000
Resent-Date: Tue, 19 Apr 2016 21:30:50 +0000
Resent-Message-Id: <E1asdEQ-00075D-SJ@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <mail@michael-kaufmann.ch>) id 1asdEM-00074W-4U for ietf-http-wg@listhub.w3.org; Tue, 19 Apr 2016 21:30:46 +0000
Received: from lookie3.hostorama.com ([80.74.148.208]) by maggie.w3.org with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <mail@michael-kaufmann.ch>) id 1asdEJ-0004hh-Hs for ietf-http-wg@w3.org; Tue, 19 Apr 2016 21:30:45 +0000
Received: from lookie.metanet.ch (localhost [127.0.0.1]) by lookie3.hostorama.com (Postfix) with ESMTPSA id C2C82AE00B4 for <ietf-http-wg@w3.org>; Tue, 19 Apr 2016 23:30:14 +0200 (CEST)
Received: from 84-75-83-91.dclient.hispeed.ch (84-75-83-91.dclient.hispeed.ch [84.75.83.91]) by webmail.michael-kaufmann.ch (Horde Framework) with HTTP; Tue, 19 Apr 2016 23:30:14 +0200
Date: Tue, 19 Apr 2016 23:30:14 +0200
Message-ID: <20160419233014.Horde.pDb9tRgUZYP9jgWUZg3sUna@webmail.michael-kaufmann.ch>
From: Michael Kaufmann <mail@michael-kaufmann.ch>
To: ietf-http-wg@w3.org
References: <20160419161634.Horde.7_VYZk5McZE4CAiQrQh-uXr@webmail.michael-kaufmann.ch> <7CF7F94CB496BF4FAB1676F375F9666A2A7CBD72@bgb01xud1012> <BE75D624-3A89-463A-B860-A2E83613C199@lukasa.co.uk> <5CBBE2E0-BA35-42B6-9E19-D658753D593B@greenbytes.de> <825033AC-9E67-4B81-84E6-FC5C67112037@lukasa.co.uk> <57165D31.5070604@treenet.co.nz>
In-Reply-To: <57165D31.5070604@treenet.co.nz>
User-Agent: Horde Application Framework 5
Content-Type: text/plain; charset="utf-8"; format="flowed"; DelSp="Yes"
MIME-Version: 1.0
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Received-SPF: none client-ip=80.74.148.208; envelope-from=mail@michael-kaufmann.ch; helo=lookie3.hostorama.com
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1asdEJ-0004hh-Hs a9175711dc048d1e39a32aa6023dc16b
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Is the response header "Upgrade: h2" allowed when TLS is used?
Archived-At: <http://www.w3.org/mid/20160419233014.Horde.pDb9tRgUZYP9jgWUZg3sUna@webmail.michael-kaufmann.ch>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31516
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

Zitat von Amos Jeffries <squid3@treenet.co.nz>:

> On 20/04/2016 4:07 a.m., Cory Benfield wrote:
>>
>> Heh, I missed that. With that note, then, I’d say that Apache should
>> stop putting h2 in the Upgrade header on a TLS-using connection
>> *unless* it believes that connection is for a HTTP-schemed URL, when
>> it should put h2c.
>>
>> Cory
>>
>
>
> I think you are all overlooking the basic details:
>
> * RFC 7540 does not govern HTTP/1.1 connections, even TLS ones.
>
> * RFC 7540 section 3.2 is about negotiating http:// URLs over non-TLS
> connections.
>
>
> When the client has negotiated for HTTP/1.1 over TLS to happen (aka
> HTTPS). It is appropriate to Upgrade:h2. Since RFC 723x applies.
>
>
> But when the client negotiates h2c to happen. It is forbidden from using
> Upgrade:h2 to get to h2. Avoiding the issues Upgrade would have with
> only one-way encryption for the message pair.
>
> Note that h2c is also forbidden from being used in ALPN by section 3.3.
> So there is no valid way to be using TLS for h2c in the first place.
>
> If one is already using h2 it is pointless to Upgrade:h2.
>

I have just realized that RFC 7540 registers the "h2c" upgrade token  
(section 11.8) but it does NOT register an "h2" upgrade token. (it  
also registers the identification strings "h2" and "h2c" for ALPN in  
section 11.1, but that is a different thing)

The upgrade token "h2" probably does not exist according to the RFCs.  
It is also not mentioned here:  
http://www.iana.org/assignments/http-upgrade-tokens/http-upgrade-tokens.xhtml

So when using TLS, servers should not send "Upgrade: h2" because "h2"  
is an undefined upgrade token. And also when using TLS, servers should  
not send "Upgrade: h2c" because h2c means "HTTP/2 using cleartext  
TCP", and a connection that uses TLS cannot be "upgraded" to a  
connection that does not use TLS.

Do you agree...?

Regards,
Michael

v2.23.0 | Report a Bug | By Email