IETF Logo Mail Archive

Re: Is the response header "Upgrade: h2" allowed when TLS is used?

Cory Benfield <cory@lukasa.co.uk> Tue, 19 April 2016 16:12 UTC

Return-Path: <ietf-http-wg-request+bounce-httpbisa-archive-bis2juki=lists.ie@listhub.w3.org>
X-Original-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Delivered-To: ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D87E12E103 for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Apr 2016 09:12:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.917
X-Spam-Level:
X-Spam-Status: No, score=-7.917 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lukasa-co-uk.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpX-3EwzlhGo for <ietfarch-httpbisa-archive-bis2Juki@ietfa.amsl.com>; Tue, 19 Apr 2016 09:12:47 -0700 (PDT)
Received: from frink.w3.org (frink.w3.org [128.30.52.56]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FBEE12D569 for <httpbisa-archive-bis2Juki@lists.ietf.org>; Tue, 19 Apr 2016 09:12:47 -0700 (PDT)
Received: from lists by frink.w3.org with local (Exim 4.80) (envelope-from <ietf-http-wg-request@listhub.w3.org>) id 1asYCV-00072c-6Y for ietf-http-wg-dist@listhub.w3.org; Tue, 19 Apr 2016 16:08:31 +0000
Resent-Date: Tue, 19 Apr 2016 16:08:31 +0000
Resent-Message-Id: <E1asYCV-00072c-6Y@frink.w3.org>
Received: from maggie.w3.org ([128.30.52.39]) by frink.w3.org with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <cory@lukasa.co.uk>) id 1asYCQ-00071K-1x for ietf-http-wg@listhub.w3.org; Tue, 19 Apr 2016 16:08:26 +0000
Received: from mail-wm0-f49.google.com ([74.125.82.49]) by maggie.w3.org with esmtps (TLS1.2:RSA_ARCFOUR_SHA1:128) (Exim 4.80) (envelope-from <cory@lukasa.co.uk>) id 1asYCN-0004fW-HK for ietf-http-wg@w3.org; Tue, 19 Apr 2016 16:08:25 +0000
Received: by mail-wm0-f49.google.com with SMTP id u206so38005136wme.1 for <ietf-http-wg@w3.org>; Tue, 19 Apr 2016 09:08:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lukasa-co-uk.20150623.gappssmtp.com; s=20150623; h=subject:mime-version:from:in-reply-to:date:cc:message-id:references :to; bh=Jvod4G9bqTWMwhWWuBMWpO7fJV/jPJZ8E1bjYy1uUNY=; b=NKWhUfyOvc1wvTrfpwXaHyrqQg1i5LmDnS6WI3G+eOv5i791UvXfGaTuXFbBNgegNP wH9rtroOrEK6lOclpJeTvqRxO9l+FngjtxZBF/Cw1Dzx4zxD/fgNRKxVnUephIgkwzht DESVfdynqddbpz+QphG8zkbajsQOSYNe2vrE1nU8+Jw4+I28hCpLV2agp3TGLWYKsDN4 zJdHWhVUNdJLWxmbu89lI9UlGRavcFXOLXpA2dc7SHyo+su2PuC6CdyYvARLJ+GPiyuQ 3X/Cz+4IeejxGB/LRaGbEE6a1s4bJsdezDwvCyUMN4tpoRMpgnsZ4+/yeo3zY12/bBkX 7Ocg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:mime-version:from:in-reply-to:date:cc :message-id:references:to; bh=Jvod4G9bqTWMwhWWuBMWpO7fJV/jPJZ8E1bjYy1uUNY=; b=iQ6TzvHgCO59Fqahvmo64BZKQcc9xi9xAPmdjXGMMjqSyQ/Xo8NUiW9/mqugpDCPvx gzW6Ndh88iq+jKomNXg8nn4V5pHV6sduXBnmtzHTtjpFPjouYS6c8MDTMQWx5VZSauyR Ce35eTyeLamKUgNKkg3X/DOIgd1Q5+UedmLTRCWG5T18ZSmaLeVicbdHOjcK/r0SJztE dJEljc3McLuAteLxPXyzaaqxsl0p9urYpRQ73iW/e8F9eyWmi17rPJRhHhSrf2cMRJ9K ypRKKVZKhXMiO9YDeVxUx076L6ybj3fKGEZ88nXAzmMPlMp7HktSMAH1skgsJG2gHdq2 f0NQ==
X-Gm-Message-State: AOPr4FUGag+wf2Gzcos7MqDFMZKqTTyns07ZzsjJoQUpmIuP2nrPmqpNE/jlmq3Bq6Cxtg==
X-Received: by 10.28.194.67 with SMTP id s64mr24233402wmf.44.1461082076909; Tue, 19 Apr 2016 09:07:56 -0700 (PDT)
Received: from [192.168.1.6] (41.65.125.91.dyn.plus.net. [91.125.65.41]) by smtp.gmail.com with ESMTPSA id 186sm5092048wmk.2.2016.04.19.09.07.55 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Tue, 19 Apr 2016 09:07:55 -0700 (PDT)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_199B55D8-2DAA-4A98-AEB2-72D2538A4F11"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail 2.6b2
From: Cory Benfield <cory@lukasa.co.uk>
In-Reply-To: <5CBBE2E0-BA35-42B6-9E19-D658753D593B@greenbytes.de>
Date: Tue, 19 Apr 2016 17:07:53 +0100
Cc: Lucas Pardue <Lucas.Pardue@bbc.co.uk>, "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-Id: <825033AC-9E67-4B81-84E6-FC5C67112037@lukasa.co.uk>
References: <20160419161634.Horde.7_VYZk5McZE4CAiQrQh-uXr@webmail.michael-kaufmann.ch> <7CF7F94CB496BF4FAB1676F375F9666A2A7CBD72@bgb01xud1012> <BE75D624-3A89-463A-B860-A2E83613C199@lukasa.co.uk> <5CBBE2E0-BA35-42B6-9E19-D658753D593B@greenbytes.de>
To: Stefan Eissing <stefan.eissing@greenbytes.de>
X-Mailer: Apple Mail (2.3124)
Received-SPF: pass client-ip=74.125.82.49; envelope-from=cory@lukasa.co.uk; helo=mail-wm0-f49.google.com
X-W3C-Hub-Spam-Status: No, score=-4.6
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, W3C_AA=-1, W3C_WL=-1
X-W3C-Scan-Sig: maggie.w3.org 1asYCN-0004fW-HK 64426806d1b1e9e5be01055c91f247b5
X-Original-To: ietf-http-wg@w3.org
Subject: Re: Is the response header "Upgrade: h2" allowed when TLS is used?
Archived-At: <http://www.w3.org/mid/825033AC-9E67-4B81-84E6-FC5C67112037@lukasa.co.uk>
Resent-From: ietf-http-wg@w3.org
X-Mailing-List: <ietf-http-wg@w3.org> archive/latest/31510
X-Loop: ietf-http-wg@w3.org
Resent-Sender: ietf-http-wg-request@w3.org
Precedence: list
List-Id: <ietf-http-wg.w3.org>
List-Help: <http://www.w3.org/Mail/>
List-Post: <mailto:ietf-http-wg@w3.org>
List-Unsubscribe: <mailto:ietf-http-wg-request@w3.org?subject=unsubscribe>

> On 19 Apr 2016, at 17:05, Stefan Eissing <stefan.eissing@greenbytes.de> wrote:
> 
>> 
>> Am 19.04.2016 um 17:29 schrieb Cory Benfield <cory@lukasa.co.uk>:
>> 
>> 
>>> On 19 Apr 2016, at 16:16, Lucas Pardue <Lucas.Pardue@bbc.co.uk> wrote:
>>> 
>>> Stefan and Daniel point out that the server uses the Upgrade header to "advertise support" for h2. RFC 7230 Section 6.7 [5] states that the server MAY send the Upgrade header. It seems to me like Apache is technically compliant. On an https connection this information shouldn't be used to perform an HTTP upgrade to h2, since that is invalid (but a client issue not a server one). On an http connection the info could be used by the client e.g. they decide to negotiate an h2 session using ALPN.
>> 
>> I don’t think that’s really a good way to read this section of RFC 7230. The first sentence in this section is 'The "Upgrade" header field is intended to provide a simple mechanism for transitioning from HTTP/1.1 to some other protocol on the same connection.’. Note that phrase “on the same connection”. I’d argue, based on that, that the server-sent Upgrade header should only list protocols that the server is willing to upgrade to *on that connection*.
> 
> The mechanism is there and could be use. I do not know of a client which can though...
> 
> And rfc 7540, ch. 3.2 says: "A server MUST ignore an "h2" token in an Upgrade header field. Presence of a token with "h2" implies HTTP/2 over TLS, which is instead negotiated as described in Section 3.3."
> 
> Reading that, a server can never support this. So, we are in violation...rebels almost…

Heh, I missed that. With that note, then, I’d say that Apache should stop putting h2 in the Upgrade header on a TLS-using connection *unless* it believes that connection is for a HTTP-schemed URL, when it should put h2c.

Cory

v2.23.0 | Report a Bug | By Email