You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by ic...@apache.org on 2022/02/08 13:38:49 UTC
svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Author: icing
Date: Tue Feb 8 13:38:49 2022
New Revision: 1897872
URL: http://svn.apache.org/viewvc?rev=1897872&view=rev
Log:
*) mod_http2: when a h2 request carries a ':scheme' pseudoheader,
it gives a 400 response if the scheme does not match the
connection. Fixes <https://github.com/icing/mod_h2/issues/230>.
Added:
httpd/httpd/trunk/changes-entries/http2_request_scheme.txt
Modified:
httpd/httpd/trunk/modules/http2/h2_stream.c
httpd/httpd/trunk/test/modules/http2/test_003_get.py
Added: httpd/httpd/trunk/changes-entries/http2_request_scheme.txt
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/http2_request_scheme.txt?rev=1897872&view=auto
==============================================================================
--- httpd/httpd/trunk/changes-entries/http2_request_scheme.txt (added)
+++ httpd/httpd/trunk/changes-entries/http2_request_scheme.txt Tue Feb 8 13:38:49 2022
@@ -0,0 +1,3 @@
+ *) mod_http2: when a h2 request carries a ':scheme' pseudoheader,
+ it gives a 400 response if the scheme does not match the
+ connection. Fixes <https://github.com/icing/mod_h2/issues/230>.
Modified: httpd/httpd/trunk/modules/http2/h2_stream.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_stream.c?rev=1897872&r1=1897871&r2=1897872&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/http2/h2_stream.c (original)
+++ httpd/httpd/trunk/modules/http2/h2_stream.c Tue Feb 8 13:38:49 2022
@@ -23,6 +23,7 @@
#include <http_core.h>
#include <http_connection.h>
#include <http_log.h>
+#include <http_ssl.h>
#include <nghttp2/nghttp2.h>
@@ -773,12 +774,10 @@ apr_status_t h2_stream_end_headers(h2_st
status = h2_request_end_headers(stream->rtmp, stream->pool, eos, raw_bytes);
if (APR_SUCCESS == status) {
set_policy_for(stream, stream->rtmp);
- stream->request = stream->rtmp;
- stream->rtmp = NULL;
-
+
ctx.maxlen = stream->session->s->limit_req_fieldsize;
ctx.failed_key = NULL;
- apr_table_do(table_check_val_len, &ctx, stream->request->headers, NULL);
+ apr_table_do(table_check_val_len, &ctx, stream->rtmp->headers, NULL);
if (ctx.failed_key) {
if (!h2_stream_is_ready(stream)) {
ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c1,
@@ -790,6 +789,15 @@ apr_status_t h2_stream_end_headers(h2_st
/* keep on returning APR_SUCCESS, so that we send a HTTP response and
* do not RST the stream. */
}
+ if (stream->rtmp->scheme && strcasecmp(stream->rtmp->scheme,
+ ap_ssl_conn_is_ssl(stream->session->c1)? "https" : "http")) {
+ ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c1,
+ H2_STRM_LOG(APLOGNO(), stream,"Request :scheme '%s' and "
+ "connection do not match."), stream->rtmp->scheme);
+ set_error_response(stream, HTTP_BAD_REQUEST);
+ }
+ stream->request = stream->rtmp;
+ stream->rtmp = NULL;
}
return status;
}
Modified: httpd/httpd/trunk/test/modules/http2/test_003_get.py
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/test/modules/http2/test_003_get.py?rev=1897872&r1=1897871&r2=1897872&view=diff
==============================================================================
--- httpd/httpd/trunk/test/modules/http2/test_003_get.py (original)
+++ httpd/httpd/trunk/test/modules/http2/test_003_get.py Tue Feb 8 13:38:49 2022
@@ -211,3 +211,11 @@ content-type: text/html
assert 1024 == len(r.response["body"])
assert "content-length" in h
assert clen == h["content-length"]
+
+ # use an invalid scheme
+ def test_h2_003_51(self, env):
+ url = env.mkurl("https", "cgi", "/")
+ opt = ["-H:scheme: http"]
+ r = env.nghttp().get(url, options=opt)
+ assert r.exit_code == 0, r
+ assert r.response['status'] == 400
Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Posted by Ruediger Pluem <rp...@apache.org>.
On 2/9/22 11:38 AM, Yann Ylavic wrote:
> On Wed, Feb 9, 2022 at 11:28 AM Ruediger Pluem <rp...@apache.org> wrote:
>>
>> On 2/9/22 10:28 AM, Stefan Eissing wrote:
>>>
>>>> Am 09.02.2022 um 10:15 schrieb Ruediger Pluem <rp...@apache.org>:
>>>>
>>>> On 2/8/22 7:10 PM, Roy T. Fielding wrote:
>>>>> As noted in
>>>>>
>>>>> https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
>>>>>
>>>>> This doesn't look right to me. I think what you want is to verify that https is
>>>>> in a secured connection. This should have no effect on other schemes, and
>>>>> certainly not require all schemes to be http or https.
>>>>>
>>>>> Literally, the scheme is a naming system, not a protocol. "http" and "https"
>>>>> and "foo" schemes can be resolved by any protocol that performs requests
>>>>> on an absolute URI, including HTTP/2. "https" only requires the connection
>>>>> to be secured end-to-end.
>>>>
>>>> With respect to our HTTP/1 handling r1895921 http://svn.apache.org/viewvc?view=revision&revision=1895921 added
>>>> a check that the scheme for non forward proxied requests either needs to be http or https, but we don't check
>>>> for a matching with the actual connection whether this is secured or not.
>>>
>>> Thanks for pointing that out, Ruediger. I think I need to change mod_http2 to
>>> populate the uri.scheme when a :scheme header was sent in the request. Then
>>> we have the check in one place.
>>
>> +1 in general, but we should check that :scheme does not contain characters invalid for a scheme.
>> We likely would fail with invalid chars in the check of above revision, but I would feel safer if we never have invalid chars in
>> uri.scheme :-)
>
> Possibly we could build a full r->the_request in [1] if there is a
> :scheme, and let ap_parse_request_line() validate it.
>
> [1] https://github.com/apache/httpd/blob/trunk/modules/http2/h2_request.c#L298-L299
Sounds like an option.
Regards
Rüdiger
Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Posted by Yann Ylavic <yl...@gmail.com>.
On Wed, Feb 9, 2022 at 11:28 AM Ruediger Pluem <rp...@apache.org> wrote:
>
> On 2/9/22 10:28 AM, Stefan Eissing wrote:
> >
> >> Am 09.02.2022 um 10:15 schrieb Ruediger Pluem <rp...@apache.org>:
> >>
> >> On 2/8/22 7:10 PM, Roy T. Fielding wrote:
> >>> As noted in
> >>>
> >>> https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
> >>>
> >>> This doesn't look right to me. I think what you want is to verify that https is
> >>> in a secured connection. This should have no effect on other schemes, and
> >>> certainly not require all schemes to be http or https.
> >>>
> >>> Literally, the scheme is a naming system, not a protocol. "http" and "https"
> >>> and "foo" schemes can be resolved by any protocol that performs requests
> >>> on an absolute URI, including HTTP/2. "https" only requires the connection
> >>> to be secured end-to-end.
> >>
> >> With respect to our HTTP/1 handling r1895921 http://svn.apache.org/viewvc?view=revision&revision=1895921 added
> >> a check that the scheme for non forward proxied requests either needs to be http or https, but we don't check
> >> for a matching with the actual connection whether this is secured or not.
> >
> > Thanks for pointing that out, Ruediger. I think I need to change mod_http2 to
> > populate the uri.scheme when a :scheme header was sent in the request. Then
> > we have the check in one place.
>
> +1 in general, but we should check that :scheme does not contain characters invalid for a scheme.
> We likely would fail with invalid chars in the check of above revision, but I would feel safer if we never have invalid chars in
> uri.scheme :-)
Possibly we could build a full r->the_request in [1] if there is a
:scheme, and let ap_parse_request_line() validate it.
[1] https://github.com/apache/httpd/blob/trunk/modules/http2/h2_request.c#L298-L299
>
> >
> > The question with matching "http" and "https" concerns:
> > A. do we select the correct server_rec matching the scheme?
> > B. do we want to deny access to https: resources on a non-secured connection?
> >
> > I'll add a test for A. My opinion on B is that we should.
>
> There are probably setups behind SSL terminating LB's that will have the scheme set to https while the request arrives over http
> (from the LB). Hence I am not sure if we should require this and I don't want to propose yet another configuration option to
> disable this check for such cases.
+1
Regards;
Yann.
Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Posted by Ruediger Pluem <rp...@apache.org>.
On 2/9/22 10:28 AM, Stefan Eissing wrote:
>
>
>> Am 09.02.2022 um 10:15 schrieb Ruediger Pluem <rp...@apache.org>:
>>
>>
>>
>> On 2/8/22 7:10 PM, Roy T. Fielding wrote:
>>> As noted in
>>>
>>> https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
>>>
>>> This doesn't look right to me. I think what you want is to verify that https is
>>> in a secured connection. This should have no effect on other schemes, and
>>> certainly not require all schemes to be http or https.
>>>
>>> Literally, the scheme is a naming system, not a protocol. "http" and "https"
>>> and "foo" schemes can be resolved by any protocol that performs requests
>>> on an absolute URI, including HTTP/2. "https" only requires the connection
>>> to be secured end-to-end.
>>
>> With respect to our HTTP/1 handling r1895921 http://svn.apache.org/viewvc?view=revision&revision=1895921 added
>> a check that the scheme for non forward proxied requests either needs to be http or https, but we don't check
>> for a matching with the actual connection whether this is secured or not.
>
> Thanks for pointing that out, Ruediger. I think I need to change mod_http2 to
> populate the uri.scheme when a :scheme header was sent in the request. Then
> we have the check in one place.
+1 in general, but we should check that :scheme does not contain characters invalid for a scheme.
We likely would fail with invalid chars in the check of above revision, but I would feel safer if we never have invalid chars in
uri.scheme :-)
>
> The question with matching "http" and "https" concerns:
> A. do we select the correct server_rec matching the scheme?
> B. do we want to deny access to https: resources on a non-secured connection?
>
> I'll add a test for A. My opinion on B is that we should.
There are probably setups behind SSL terminating LB's that will have the scheme set to https while the request arrives over http
(from the LB). Hence I am not sure if we should require this and I don't want to propose yet another configuration option to
disable this check for such cases.
Regards
Rüdiger
Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Posted by Stefan Eissing <st...@eissing.org>.
> Am 10.02.2022 um 00:57 schrieb Roy T. Fielding <fi...@gbiv.com>:
>
>> On Feb 9, 2022, at 1:28 AM, Stefan Eissing <st...@eissing.org> wrote:
>>> Am 09.02.2022 um 10:15 schrieb Ruediger Pluem <rp...@apache.org>:
>>> On 2/8/22 7:10 PM, Roy T. Fielding wrote:
>>>> As noted in
>>>>
>>>> https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
>>>>
>>>> This doesn't look right to me. I think what you want is to verify that https is
>>>> in a secured connection. This should have no effect on other schemes, and
>>>> certainly not require all schemes to be http or https.
>>>>
>>>> Literally, the scheme is a naming system, not a protocol. "http" and "https"
>>>> and "foo" schemes can be resolved by any protocol that performs requests
>>>> on an absolute URI, including HTTP/2. "https" only requires the connection
>>>> to be secured end-to-end.
>>>
>>> With respect to our HTTP/1 handling r1895921 http://svn.apache.org/viewvc?view=revision&revision=1895921 added
>>> a check that the scheme for non forward proxied requests either needs to be http or https, but we don't check
>>> for a matching with the actual connection whether this is secured or not.
>>
>> Thanks for pointing that out, Ruediger. I think I need to change mod_http2 to
>> populate the uri.scheme when a :scheme header was sent in the request. Then
>> we have the check in one place.
>>
>> The question with matching "http" and "https" concerns:
>> A. do we select the correct server_rec matching the scheme?
>> B. do we want to deny access to https: resources on a non-secured connection?
>>
>> I'll add a test for A. My opinion on B is that we should.
>>
>> Kind Regards,
>> Stefan
>
> The problem with B is that the TLS parts may have already been removed
> by a trusted gateway or TLS offload device. I don't know how we recognize
> that in our own server config, if at all. Basically, we need the config to state
> that the service URL is https even though the message is just http, and
> we need to be sure that the above check can be overridden by such a config.
>
> And don't forget that proxies can also receive ftp, ftps, doi, and urn as
> schemes, depending entirely on how the modules are mapped and what
> kinds of clients are being serviced.
>
> It's important to keep in mind that IETF specs only define the protocol as
> it crosses the Internet. Our server also has to support network configs for
> inside a colo, non-TCP networks, localhost, and symmetric cyphers, etc.
> Hence, some of the TLS-only requirements have no meaning to us outside
> the default config, and shouldn't be enforced by the protocol module.
I hope I got this right in r1897940 now. The gist of the change now is:
- h2 does not deny any :scheme value from becoming a request
- :scheme values that do not match the main connection scheme are forwarded
in r->the_request as absolute uri to being processed by the generic
HTTP protocol parsing iun ap_parse_request_line(r).
- RFC 7540 requirements on CONNECT method have been added and these also
use the absolute uri in r->the_request
Kind Regards,
Stefan
Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
> On Feb 9, 2022, at 1:28 AM, Stefan Eissing <st...@eissing.org> wrote:
>> Am 09.02.2022 um 10:15 schrieb Ruediger Pluem <rp...@apache.org>:
>> On 2/8/22 7:10 PM, Roy T. Fielding wrote:
>>> As noted in
>>>
>>> https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
>>>
>>> This doesn't look right to me. I think what you want is to verify that https is
>>> in a secured connection. This should have no effect on other schemes, and
>>> certainly not require all schemes to be http or https.
>>>
>>> Literally, the scheme is a naming system, not a protocol. "http" and "https"
>>> and "foo" schemes can be resolved by any protocol that performs requests
>>> on an absolute URI, including HTTP/2. "https" only requires the connection
>>> to be secured end-to-end.
>>
>> With respect to our HTTP/1 handling r1895921 http://svn.apache.org/viewvc?view=revision&revision=1895921 added
>> a check that the scheme for non forward proxied requests either needs to be http or https, but we don't check
>> for a matching with the actual connection whether this is secured or not.
>
> Thanks for pointing that out, Ruediger. I think I need to change mod_http2 to
> populate the uri.scheme when a :scheme header was sent in the request. Then
> we have the check in one place.
>
> The question with matching "http" and "https" concerns:
> A. do we select the correct server_rec matching the scheme?
> B. do we want to deny access to https: resources on a non-secured connection?
>
> I'll add a test for A. My opinion on B is that we should.
>
> Kind Regards,
> Stefan
The problem with B is that the TLS parts may have already been removed
by a trusted gateway or TLS offload device. I don't know how we recognize
that in our own server config, if at all. Basically, we need the config to state
that the service URL is https even though the message is just http, and
we need to be sure that the above check can be overridden by such a config.
And don't forget that proxies can also receive ftp, ftps, doi, and urn as
schemes, depending entirely on how the modules are mapped and what
kinds of clients are being serviced.
It's important to keep in mind that IETF specs only define the protocol as
it crosses the Internet. Our server also has to support network configs for
inside a colo, non-TCP networks, localhost, and symmetric cyphers, etc.
Hence, some of the TLS-only requirements have no meaning to us outside
the default config, and shouldn't be enforced by the protocol module.
....Roy
Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Posted by Stefan Eissing <st...@eissing.org>.
> Am 09.02.2022 um 10:15 schrieb Ruediger Pluem <rp...@apache.org>:
>
>
>
> On 2/8/22 7:10 PM, Roy T. Fielding wrote:
>> As noted in
>>
>> https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
>>
>> This doesn't look right to me. I think what you want is to verify that https is
>> in a secured connection. This should have no effect on other schemes, and
>> certainly not require all schemes to be http or https.
>>
>> Literally, the scheme is a naming system, not a protocol. "http" and "https"
>> and "foo" schemes can be resolved by any protocol that performs requests
>> on an absolute URI, including HTTP/2. "https" only requires the connection
>> to be secured end-to-end.
>
> With respect to our HTTP/1 handling r1895921 http://svn.apache.org/viewvc?view=revision&revision=1895921 added
> a check that the scheme for non forward proxied requests either needs to be http or https, but we don't check
> for a matching with the actual connection whether this is secured or not.
Thanks for pointing that out, Ruediger. I think I need to change mod_http2 to
populate the uri.scheme when a :scheme header was sent in the request. Then
we have the check in one place.
The question with matching "http" and "https" concerns:
A. do we select the correct server_rec matching the scheme?
B. do we want to deny access to https: resources on a non-secured connection?
I'll add a test for A. My opinion on B is that we should.
Kind Regards,
Stefan
Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Posted by Ruediger Pluem <rp...@apache.org>.
On 2/8/22 7:10 PM, Roy T. Fielding wrote:
> As noted in
>
> https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
>
> This doesn't look right to me. I think what you want is to verify that https is
> in a secured connection. This should have no effect on other schemes, and
> certainly not require all schemes to be http or https.
>
> Literally, the scheme is a naming system, not a protocol. "http" and "https"
> and "foo" schemes can be resolved by any protocol that performs requests
> on an absolute URI, including HTTP/2. "https" only requires the connection
> to be secured end-to-end.
With respect to our HTTP/1 handling r1895921 http://svn.apache.org/viewvc?view=revision&revision=1895921 added
a check that the scheme for non forward proxied requests either needs to be http or https, but we don't check
for a matching with the actual connection whether this is secured or not.
Regards
Rüdiger
Re: svn commit: r1897872 - in /httpd/httpd/trunk: changes-entries/http2_request_scheme.txt modules/http2/h2_stream.c test/modules/http2/test_003_get.py
Posted by "Roy T. Fielding" <fi...@gbiv.com>.
As noted in
https://github.com/icing/mod_h2/issues/230#issuecomment-1032905432
This doesn't look right to me. I think what you want is to verify that https is
in a secured connection. This should have no effect on other schemes, and
certainly not require all schemes to be http or https.
Literally, the scheme is a naming system, not a protocol. "http" and "https"
and "foo" schemes can be resolved by any protocol that performs requests
on an absolute URI, including HTTP/2. "https" only requires the connection
to be secured end-to-end.
....Roy
> On Feb 8, 2022, at 5:38 AM, icing@apache.org wrote:
>
> Author: icing
> Date: Tue Feb 8 13:38:49 2022
> New Revision: 1897872
>
> URL: http://svn.apache.org/viewvc?rev=1897872&view=rev
> Log:
> *) mod_http2: when a h2 request carries a ':scheme' pseudoheader,
> it gives a 400 response if the scheme does not match the
> connection. Fixes <https://github.com/icing/mod_h2/issues/230>.
>
>
> Added:
> httpd/httpd/trunk/changes-entries/http2_request_scheme.txt
> Modified:
> httpd/httpd/trunk/modules/http2/h2_stream.c
> httpd/httpd/trunk/test/modules/http2/test_003_get.py
>
> Added: httpd/httpd/trunk/changes-entries/http2_request_scheme.txt
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/changes-entries/http2_request_scheme.txt?rev=1897872&view=auto
> ==============================================================================
> --- httpd/httpd/trunk/changes-entries/http2_request_scheme.txt (added)
> +++ httpd/httpd/trunk/changes-entries/http2_request_scheme.txt Tue Feb 8 13:38:49 2022
> @@ -0,0 +1,3 @@
> + *) mod_http2: when a h2 request carries a ':scheme' pseudoheader,
> + it gives a 400 response if the scheme does not match the
> + connection. Fixes <https://github.com/icing/mod_h2/issues/230>.
>
> Modified: httpd/httpd/trunk/modules/http2/h2_stream.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/http2/h2_stream.c?rev=1897872&r1=1897871&r2=1897872&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/http2/h2_stream.c (original)
> +++ httpd/httpd/trunk/modules/http2/h2_stream.c Tue Feb 8 13:38:49 2022
> @@ -23,6 +23,7 @@
> #include <http_core.h>
> #include <http_connection.h>
> #include <http_log.h>
> +#include <http_ssl.h>
>
> #include <nghttp2/nghttp2.h>
>
> @@ -773,12 +774,10 @@ apr_status_t h2_stream_end_headers(h2_st
> status = h2_request_end_headers(stream->rtmp, stream->pool, eos, raw_bytes);
> if (APR_SUCCESS == status) {
> set_policy_for(stream, stream->rtmp);
> - stream->request = stream->rtmp;
> - stream->rtmp = NULL;
> -
> +
> ctx.maxlen = stream->session->s->limit_req_fieldsize;
> ctx.failed_key = NULL;
> - apr_table_do(table_check_val_len, &ctx, stream->request->headers, NULL);
> + apr_table_do(table_check_val_len, &ctx, stream->rtmp->headers, NULL);
> if (ctx.failed_key) {
> if (!h2_stream_is_ready(stream)) {
> ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c1,
> @@ -790,6 +789,15 @@ apr_status_t h2_stream_end_headers(h2_st
> /* keep on returning APR_SUCCESS, so that we send a HTTP response and
> * do not RST the stream. */
> }
> + if (stream->rtmp->scheme && strcasecmp(stream->rtmp->scheme,
> + ap_ssl_conn_is_ssl(stream->session->c1)? "https" : "http")) {
> + ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, stream->session->c1,
> + H2_STRM_LOG(APLOGNO(), stream,"Request :scheme '%s' and "
> + "connection do not match."), stream->rtmp->scheme);
> + set_error_response(stream, HTTP_BAD_REQUEST);
> + }
> + stream->request = stream->rtmp;
> + stream->rtmp = NULL;
> }
> return status;
> }
>
> Modified: httpd/httpd/trunk/test/modules/http2/test_003_get.py
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/test/modules/http2/test_003_get.py?rev=1897872&r1=1897871&r2=1897872&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/test/modules/http2/test_003_get.py (original)
> +++ httpd/httpd/trunk/test/modules/http2/test_003_get.py Tue Feb 8 13:38:49 2022
> @@ -211,3 +211,11 @@ content-type: text/html
> assert 1024 == len(r.response["body"])
> assert "content-length" in h
> assert clen == h["content-length"]
> +
> + # use an invalid scheme
> + def test_h2_003_51(self, env):
> + url = env.mkurl("https", "cgi", "/")
> + opt = ["-H:scheme: http"]
> + r = env.nghttp().get(url, options=opt)
> + assert r.exit_code == 0, r
> + assert r.response['status'] == 400
>
>