nodejs/node

http2: cannot negotiate ALPN besides http/1.1

Open

#26,835 创建于 2019年3月21日

在 GitHub 查看
 (10 评论) (0 反应) (0 负责人)JavaScript (35,535 fork)batch import
help wantedhttp2stale

仓库指标

Star
 (117,218 star)
PR 合并指标
 (平均合并 18天 17小时) (30 天内合并 219 个 PR)

描述

The documentation for 'unknownProtocol' says this:

The 'unknownProtocol' event is emitted when a connecting client fails to negotiate an allowed protocol (i.e. HTTP/2 or HTTP/1.1). The event handler receives the socket for handling. If no listener is registered for this event, the connection is terminated.

The logic seems wrong though. It only passes through nothing (no protocol negotiated) or http/1.1, everything else is ignored:

https://github.com/nodejs/node/blob/11f8024d992c385d3db196ab64678311bfdabd84/lib/internal/http2/core.js#L2614-L2634

Caveat: if the check is loosened, care should be taken not to introduce an information leak.

For an attacker it should not be possible to deduce whether the server has { allowHTTP1: true } and an 'unknownProtocol' listener installed by sending messages with the ALPN proto set to http/1.1 and e.g. hax/13.37, and then comparing the responses he gets back.

贡献者指南