More on TLS Upgrade: Should httpd enforce good client behavior?

["Joel J. Smith" <js...@novell.com>]

There are two more issues that I would like to address on the TLS 
Upgrade feature.

1.  RFC 2817 explicitly states that if the request comes in from an 
HTTP/1.0 (or earlier) client that the Upgrade header should be 
removed/ignored since: (a) there is no provision for Connection: Upgrade 
until HTTP/1.1 and (b) there is a possibility that an HTTP/1.1 client 
sent the request through an HTTP/1.0 proxy.  Since TLS Upgrade is a 
hop-by-hop feature, if a client requested an upgrade with its proxy, but 
the proxy passed the headers on to httpd, the resulting behavior would 
be at best, not what the client had in mind, and at worst, a broken 
connection.  So, the long and the short of it is: should httpd enforce 
that only HTTP/1.1 (or looking forward, newer) clients be allowed to 
upgrade?  I think that this is an obvious yes.

2.  With svn commit of ssl_engine_io.c ver 109499, the check for 
"Connection: Upgrade" was deemed unnecessary and removed.  RFC 2616 
(Section 14.42) says that:

The Upgrade header field only applies to the immediate connection. 
Therefore, the upgrade keyword MUST be supplied within a Connection 
header field (section 14.10) whenever Upgrade is present in an HTTP/1.1 
message.

So a client MUST send something like:
Connection: Upgrade
Upgrade: TLS/1.0
or it is considered a broken implementation.  I have no problem 
supporting broken implementations (especially if it's easier/faster than 
enforcing, as is the case here) as long as there are no unintended 
side-effects.

The only side effect I could see is this:  HTTP/1.1 proxies that don't 
support this feature are supposed to remove the Upgrade token from the 
"Connection: Upgrade" header and remove the Upgrade header entirely.  If 
it does that, then everything will work as expected.  If it only removes 
the Upgrade token from the Connection header, but leaves the Upgrade 
header intact, than the same thing described in #1 above would happen. 
Granted, only a broken proxy implementation would allow this to happen.

So it boils down to this: Enforcing the presence of the "Connection: 
Upgrade" header would break TLS Upgrading clients that don't behave 
correctly.  Not enforcing it could allow broken behavior for compliant 
clients when using a broken proxy.

My opinion is that httpd should enforce the header since I trust clients 
who add this feature to get it right more than I trust proxies who may 
not understand this part of HTTP/1.1 to get it right.  Comments?

Joel