You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2015/10/15 15:14:38 UTC
svn commit: r1708815 - in /httpd/httpd/trunk: docs/manual/mod/mod_http2.xml
modules/http2/h2_config.c modules/http2/h2_config.h modules/http2/h2_conn.c
modules/http2/h2_h2.c modules/http2/h2_h2.h modules/http2/h2_switch.c
Author: icing
Date: Thu Oct 15 13:14:37 2015
New Revision: 1708815
URL: http://svn.apache.org/viewvc?rev=1708815&view=rev
Log:
changed H2Compliance to H2ModernTLSOnly, added description in module docs
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_http2.xml
httpd/httpd/trunk/modules/http2/h2_config.c
httpd/httpd/trunk/modules/http2/h2_config.h
httpd/httpd/trunk/modules/http2/h2_conn.c
httpd/httpd/trunk/modules/http2/h2_h2.c
httpd/httpd/trunk/modules/http2/h2_h2.h
httpd/httpd/trunk/modules/http2/h2_switch.c
Modified: httpd/httpd/trunk/docs/manual/mod/mod_http2.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_http2.xml?rev=1708815&r1=1708814&r2=1708815&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_http2.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_http2.xml Thu Oct 15 13:14:37 2015
@@ -297,4 +297,51 @@
</usage>
</directivesynopsis>
+ <directivesynopsis>
+ <name>H2ModernTLSOnly</name>
+ <description>Require HTTP/2 connections to be "modern TLS" only</description>
+ <syntax>H2ModernTLSOnly on|off</syntax>
+ <default>H2ModernTLSOnly on</default>
+ <contextlist>
+ <context>server config</context>
+ <context>virtual host</context>
+ </contextlist>
+
+ <usage>
+ <p>
+ This directive toggles the security checks on HTTP/2 connections
+ in TLS mode (https:). This can be used server wide or for specific
+ <directive module="core" type="section">VirtualHost</directive>s.
+ </p>
+ <p>
+ The security checks require that the TSL protocol is at least
+ TLSv1.2 and that none of the ciphers listed in RFC 7540, Appendix A
+ is used. These checks will be extended once new security requirements
+ come into place.
+ </p>
+ <p>
+ The name stems from the
+ <a href="https://wiki.mozilla.org/Security/Server_Side_TLS">Security/Server Side TLS</a>
+ definitions at mozilla where "modern compatiblity" is defined. Mozilla Firefox and
+ other browsers require modern compatiblity for HTTP/2 connections. As everything
+ in OpSec, this is a moving target and can be expected to evolve in the future.
+ </p>
+ <p>
+ One purpose of having these checks in mod_http2 is to enforce this
+ security level for all connections, not only those from browsers. The other
+ purpose is to prevent the negotiation of HTTP/2 as a protocol should
+ the requirements not be met.
+ </p>
+ <p>
+ Ultimately, the security of the TLS connection is determined by the
+ server configuration directives for mod_ssl.
+ </p>
+ <example><title>Example</title>
+ <highlight language="config">
+ H2ModernTLSOnly off
+ </highlight>
+ </example>
+ </usage>
+ </directivesynopsis>
+
</modulesynopsis>
Modified: httpd/httpd/trunk/modules/http2/h2_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_config.c?rev=1708815&r1=1708814&r2=1708815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_config.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_config.c Thu Oct 15 13:14:37 2015
@@ -49,7 +49,7 @@ static h2_config defconf = {
0, /* serialize headers */
0, /* h2 direct mode */
-1, /* # session extra files */
- 1, /* rfc 7540 compliance */
+ 1, /* modern TLS only */
};
static int files_per_session = 0;
@@ -101,7 +101,7 @@ static void *h2_config_create(apr_pool_t
conf->serialize_headers = DEF_VAL;
conf->h2_direct = DEF_VAL;
conf->session_extra_files = DEF_VAL;
- conf->rfc_compliance = DEF_VAL;
+ conf->modern_tls_only = DEF_VAL;
return conf;
}
@@ -140,7 +140,7 @@ void *h2_config_merge(apr_pool_t *pool,
n->serialize_headers = H2_CONFIG_GET(add, base, serialize_headers);
n->h2_direct = H2_CONFIG_GET(add, base, h2_direct);
n->session_extra_files = H2_CONFIG_GET(add, base, session_extra_files);
- n->rfc_compliance = H2_CONFIG_GET(add, base, rfc_compliance);
+ n->modern_tls_only = H2_CONFIG_GET(add, base, modern_tls_only);
return n;
}
@@ -165,8 +165,8 @@ int h2_config_geti(h2_config *conf, h2_c
return H2_CONFIG_GET(conf, &defconf, alt_svc_max_age);
case H2_CONF_SER_HEADERS:
return H2_CONFIG_GET(conf, &defconf, serialize_headers);
- case H2_CONF_COMPLIANCE:
- return H2_CONFIG_GET(conf, &defconf, rfc_compliance);
+ case H2_CONF_MODERN_TLS_ONLY:
+ return H2_CONFIG_GET(conf, &defconf, modern_tls_only);
case H2_CONF_DIRECT:
return H2_CONFIG_GET(conf, &defconf, h2_direct);
case H2_CONF_SESSION_FILES:
@@ -337,16 +337,16 @@ static const char *h2_conf_set_direct(cm
return "value must be On or Off";
}
-static const char *h2_conf_set_compliance(cmd_parms *parms,
- void *arg, const char *value)
+static const char *h2_conf_set_modern_tls_only(cmd_parms *parms,
+ void *arg, const char *value)
{
h2_config *cfg = h2_config_sget(parms->server);
if (!strcasecmp(value, "On")) {
- cfg->rfc_compliance = 1;
+ cfg->modern_tls_only = 1;
return NULL;
}
else if (!strcasecmp(value, "Off")) {
- cfg->rfc_compliance = 0;
+ cfg->modern_tls_only = 0;
return NULL;
}
@@ -376,8 +376,8 @@ const command_rec h2_cmds[] = {
RSRC_CONF, "set the maximum age (in seconds) that client can rely on alt-svc information"),
AP_INIT_TAKE1("H2SerializeHeaders", h2_conf_set_serialize_headers, NULL,
RSRC_CONF, "on to enable header serialization for compatibility"),
- AP_INIT_TAKE1("H2Compliance", h2_conf_set_compliance, NULL,
- RSRC_CONF, "off to disable strict compliance to RFC 7540"),
+ AP_INIT_TAKE1("H2ModernTLSOnly", h2_conf_set_modern_tls_only, NULL,
+ RSRC_CONF, "off to not impose RFC 7540 restrictions on TLS"),
AP_INIT_TAKE1("H2Direct", h2_conf_set_direct, NULL,
RSRC_CONF, "on to enable direct HTTP/2 mode"),
AP_INIT_TAKE1("H2SessionExtraFiles", h2_conf_set_session_extra_files, NULL,
Modified: httpd/httpd/trunk/modules/http2/h2_config.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_config.h?rev=1708815&r1=1708814&r2=1708815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_config.h (original)
+++ httpd/httpd/trunk/modules/http2/h2_config.h Thu Oct 15 13:14:37 2015
@@ -34,7 +34,7 @@ typedef enum {
H2_CONF_SER_HEADERS,
H2_CONF_DIRECT,
H2_CONF_SESSION_FILES,
- H2_CONF_COMPLIANCE,
+ H2_CONF_MODERN_TLS_ONLY,
} h2_config_var_t;
/* Apache httpd module configuration for h2. */
@@ -52,7 +52,7 @@ typedef struct h2_config {
processing, better compatibility */
int h2_direct; /* if mod_h2 is active directly */
int session_extra_files; /* # of extra files a session may keep open */
- int rfc_compliance; /* Comply with all aspects of RFC 7540 */
+ int modern_tls_only; /* Accept only modern TLS in HTTP/2 connections */
} h2_config;
Modified: httpd/httpd/trunk/modules/http2/h2_conn.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_conn.c?rev=1708815&r1=1708814&r2=1708815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_conn.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_conn.c Thu Oct 15 13:14:37 2015
@@ -178,7 +178,7 @@ apr_status_t h2_conn_main(conn_rec *c)
return APR_EGENERAL;
}
- if (!h2_is_security_compliant(c, 1)) {
+ if (!h2_is_acceptable_connection(c, 1)) {
nghttp2_submit_goaway(session->ngh2, NGHTTP2_FLAG_NONE, 0,
NGHTTP2_INADEQUATE_SECURITY, NULL, 0);
}
Modified: httpd/httpd/trunk/modules/http2/h2_h2.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_h2.c?rev=1708815&r1=1708814&r2=1708815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_h2.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_h2.c Thu Oct 15 13:14:37 2015
@@ -445,13 +445,14 @@ int h2_tls_disable(conn_rec *c)
return 0;
}
-int h2_is_security_compliant(conn_rec *c, int require_all)
+int h2_is_acceptable_connection(conn_rec *c, int require_all)
{
int is_tls = h2_h2_is_tls(c);
h2_config *cfg = h2_config_get(c);
- if (is_tls && h2_config_geti(cfg, H2_CONF_COMPLIANCE) > 0) {
- /* Check TLS connection for RFC 7540 compliance
+ if (is_tls && h2_config_geti(cfg, H2_CONF_MODERN_TLS_ONLY) > 0) {
+ /* Check TLS connection for modern TLS parameters, as defined in
+ * RFC 7540 and https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
*/
apr_pool_t *pool = c->pool;
server_rec *s = c->base_server;
@@ -581,27 +582,37 @@ int h2_h2_process_conn(conn_rec* c)
char *s = NULL;
apr_size_t slen;
- if (!temp) {
- temp = apr_brigade_create(c->pool, c->bucket_alloc);
- }
- status = ap_get_brigade(c->input_filters, temp,
- AP_MODE_SPECULATIVE, APR_BLOCK_READ, 24);
- if (status == APR_SUCCESS) {
- apr_brigade_pflatten(temp, &s, &slen, c->pool);
- if ((slen >= 24) && !memcmp(H2_MAGIC_TOKEN, s, 24)) {
- ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
- "h2_h2, direct mode detected");
- h2_ctx_protocol_set(ctx, is_tls? "h2" : "h2c");
+ /*
+ * Verify that all connection requirements are met.
+ */
+ if (h2_is_acceptable_connection(c, 1)) {
+ if (!temp) {
+ temp = apr_brigade_create(c->pool, c->bucket_alloc);
+ }
+ status = ap_get_brigade(c->input_filters, temp,
+ AP_MODE_SPECULATIVE, APR_BLOCK_READ, 24);
+ if (status == APR_SUCCESS) {
+ apr_brigade_pflatten(temp, &s, &slen, c->pool);
+ if ((slen >= 24) && !memcmp(H2_MAGIC_TOKEN, s, 24)) {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
+ "h2_h2, direct mode detected");
+ h2_ctx_protocol_set(ctx, is_tls? "h2" : "h2c");
+ }
+ else {
+ ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+ "h2_h2, not detected in %d bytes: %s",
+ (int)slen, s);
+ }
}
else {
- ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
- "h2_h2, not detected in %d bytes: %s",
- (int)slen, s);
+ ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c,
+ "h2_h2, error reading 24 bytes speculative");
}
}
else {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c,
- "h2_h2, error reading 24 bytes speculative");
+ "h2_h2, passed on direct mode, connection"
+ " does not meet requirements");
}
}
}
Modified: httpd/httpd/trunk/modules/http2/h2_h2.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_h2.h?rev=1708815&r1=1708814&r2=1708815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_h2.h (original)
+++ httpd/httpd/trunk/modules/http2/h2_h2.h Thu Oct 15 13:14:37 2015
@@ -54,15 +54,15 @@ int h2_tls_disable(conn_rec *c);
void h2_h2_register_hooks(void);
/**
- * Check if the given connection fulfills the security requirements
- * of RFC 7540.
+ * Check if the given connection fulfills the (security) requirements
+ * defined in the configuration.
* @param c the connection
* @param require_all != 0 iff any missing connection properties make
* the test fail. For example, a cipher might not have been selected while
* the handshake is still ongoing.
* @return != 0 iff security requirements are met
*/
-int h2_is_security_compliant(conn_rec *c, int require_all);
+int h2_is_acceptable_connection(conn_rec *c, int require_all);
#endif /* defined(__mod_h2__h2_h2__) */
Modified: httpd/httpd/trunk/modules/http2/h2_switch.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_switch.c?rev=1708815&r1=1708814&r2=1708815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_switch.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_switch.c Thu Oct 15 13:14:37 2015
@@ -63,9 +63,9 @@ static int h2_protocol_propose(conn_rec
return DECLINED;
}
- if (!h2_is_security_compliant(c, 0)) {
+ if (!h2_is_acceptable_connection(c, 0)) {
ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
- "protocol propose: security requirements not met, declined");
+ "protocol propose: connection requirements not met");
return DECLINED;
}