RE: Is the response header "Upgrade: h2" allowed when TLS is used?
Lucas Pardue <Lucas.Pardue@bbc.co.uk> Tue, 19 April 2016 15:21 UTC
Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1FFF12DF22 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Apr 2016 08:21:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.917
X-Spam-Level:
X-Spam-Status: No, score=-7.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0BvbtKxVoC8i for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Apr 2016 08:21:06 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C642D12DE83 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 19 Apr 2016 08:21:06 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1asXOQ-0001d9-JF for ietf-http-wg-dist@listhub.w3.org; Tue, 19 Apr 2016 15:16:46 +0000
Resent-Date: Tue, 19 Apr 2016 15:16:46 +0000
Resent-Message-Id: <E1asXOQ-0001d9-JF@frink.w3.org>
Received: from lisa.w3.org ([128.30.52.41]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <Lucas.Pardue@bbc.co.uk>) id 1asXOK-0001cC-UL for ietf-http-wg@listhub.w3.org; Tue, 19 Apr 2016 15:16:40 +0000
Received: from mailout0.cwwtf.bbc.co.uk ([132.185.160.179]) by lisa.w3.org with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.80) (envelope-from <Lucas.Pardue@bbc.co.uk>) id 1asXOJ-0006Fe-9S for ietf-http-wg@w3.org; Tue, 19 Apr 2016 15:16:40 +0000
Received: from BGB01XI1005.national.core.bbc.co.uk ([10.184.50.55]) by mailout0.cwwtf.bbc.co.uk (8.15.2/8.14.3) with ESMTP id u3JFGGPA020099 for <ietf-http-wg@w3.org>; Tue, 19 Apr 2016 16:16:16 +0100 (BST)
Received: from BGB01XUD1012.national.core.bbc.co.uk ([10.161.14.10]) by BGB01XI1005.national.core.bbc.co.uk ([10.184.50.55]) with mapi id 14.03.0195.001; Tue, 19 Apr 2016 16:16:16 +0100
From: Lucas Pardue <Lucas.Pardue@bbc.co.uk>
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Thread-Topic: Is the response header "Upgrade: h2" allowed when TLS is used?
Thread-Index: AQHRmkbhR9PkiBnXqU+0iQdMJhNOHp+RXVOQ
Date: Tue, 19 Apr 2016 15:16:15 +0000
Message-ID: <7CF7F94CB496BF4FAB1676F375F9666A2A7CBD72@bgb01xud1012>
References: <20160419161634.Horde.7_VYZk5McZE4CAiQrQh-uXr@webmail.michael-kaufmann.ch>
In-Reply-To: <20160419161634.Horde.7_VYZk5McZE4CAiQrQh-uXr@webmail.michael-kaufmann.ch>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [172.19.161.212]
x-exclaimer-md-config: 1cd3ac1c-62e5-43f2-8404-6b688271c769
x-tm-as-product-ver: SMEX-11.0.0.4179-8.000.1202-22270.007
x-tm-as-result: No--55.653800-0.000000-31
x-tm-as-user-approved-sender: Yes
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Received-SPF: pass client-ip=132.185.160.179; envelope-from=Lucas.Pardue@bbc.co.uk; helo=mailout0.cwwtf.bbc.co.uk
X-W3C-Hub-Spam-Status: No, score=-5.4
X-W3C-Hub-Spam-Report: AWL=-0.712, BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: lisa.w3.org 1asXOJ-0006Fe-9S 9fcea5cab5f32662ae837ae1123fdb62
X-Original-To: ietf-http-wg@w3.org
Subject: RE: Is the response header "Upgrade: h2" allowed when TLS is used?
Archived-At: <http://www.w3.org/mid/7CF7F94CB496BF4FAB1676F375F9666A2A7CBD72@bgb01xud1012>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31506
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>
Hi, Michael Kaufmann wrote: > I have a question regarding the "Upgrade" header. The HTTP/2 specification > says: > > A server MUST ignore an "h2" token in an Upgrade header field. > > Presence of a token with "h2" implies HTTP/2 over TLS, which is > > instead negotiated as described in Section 3.3. > > Does this imply that a server must not (or should not) send an > "Upgrade: h2" response header to clients? > > This question is important for Apache httpd, because version 2.4.20 sends > such an "Upgrade: h2" response header to clients that speak HTTP/1.x. Other > HTTP/2 server software does not (e.g. nginx, Google's and Twitter's web > servers). > > Related Apache httpd issue: > https://bz.apache.org/bugzilla/show_bug.cgi?id=59311 There seems to be some back story here that is not immediately exposed, I found it interesting to read through but to save others some effort take a look at [1], [2] and [3]. This seems to be a bug with how NodeJS (as a client) handles the Upgrade header, which has been fixed but may not be backported to older versions[4]. Stefan and Daniel point out that the server uses the Upgrade header to "advertise support" for h2. RFC 7230 Section 6.7 [5] states that the server MAY send the Upgrade header. It seems to me like Apache is technically compliant. On an https connection this information shouldn't be used to perform an HTTP upgrade to h2, since that is invalid (but a client issue not a server one). On an http connection the info could be used by the client e.g. they decide to negotiate an h2 session using ALPN. Lucas [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58971 [2] https://github.com/icing/mod_h2/issues/73 [3] https://github.com/nodejs/node/issues/4334 [4] https://github.com/nodejs/node/pull/4337 [5] http://tools.ietf.org/html/rfc7230#section-6.7 ----------------------------- http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -----------------------------
- Is the response header "Upgrade: h2" allowed when… Michael Kaufmann
- RE: Is the response header "Upgrade: h2" allowed … Lucas Pardue
- Re: Is the response header "Upgrade: h2" allowed … Cory Benfield
- Re: Is the response header "Upgrade: h2" allowed … Daniel Stenberg
- Re: Is the response header "Upgrade: h2" allowed … Stefan Eissing
- Re: Is the response header "Upgrade: h2" allowed … Cory Benfield
- Re: Is the response header "Upgrade: h2" allowed … Cory Benfield
- Re: Is the response header "Upgrade: h2" allowed … Amos Jeffries
- Re: Is the response header "Upgrade: h2" allowed … Willy Tarreau
- Re: Is the response header "Upgrade: h2" allowed … Michael Kaufmann
- RE: Is the response header "Upgrade: h2" allowed … Mike Bishop
- Re: Is the response header "Upgrade: h2" allowed … Stefan Eissing
- RE: Is the response header "Upgrade: h2" allowed … Mike Bishop
- Re: Is the response header "Upgrade: h2" allowed … Stefan Eissing
- Re: Is the response header "Upgrade: h2" allowed … Roy T. Fielding
- Re: Is the response header "Upgrade: h2" allowed … Amos Jeffries
- Re: Is the response header "Upgrade: h2" allowed … Roy T. Fielding