Skip to content

tls,http2: send fatal alert on ALPN mismatch #44031

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 13, 2022
Merged

tls,http2: send fatal alert on ALPN mismatch #44031

merged 1 commit into from
Aug 13, 2022

Conversation

@tniessen
Copy link
Member

@tniessen tniessen commented Jul 28, 2022
edited
Loading

To comply with RFC 7301, make TLS servers send a fatal alert during the TLS handshake if both the client and the server are configured to use ALPN and if the server does not support any of the protocols advertised by the client.

It is expected that a server will have a list of protocols that it supports, in preference order, and will only select a protocol if the client supports it. In that case, the server SHOULD select the most highly preferred protocol that it supports and that is also advertised by the client. In the event that the server supports no protocols that the client advertises, then the server SHALL respond with a fatal "no_application_protocol" alert.

enum {
    no_application_protocol(120),
    (255)
} AlertDescription;

This affects HTTP/2 servers. Until now, applications could intercept the 'unknownProtocol' event when the client either did not advertise any protocols or if the list of protocols advertised by the client did not include HTTP/2 (or HTTP/1.1 if allowHTTP1 was true). With this change, only the first case can be handled, and the 'unknownProtocol' event will not be emitted in the second case because the TLS handshake fails and no secure connection is established.

I am marking this as semver-major because it changes existing behavior in a potentially breaking way.

@nodejs/http2 It seems that the HTTP/2 server implementation has a few tricks up its sleeve for when ALPN does not match (switching to HTTP/1.1, sending an informational HTTP/1.0 message, destroying the connection...). Please review these changes carefully.

@tniessen tniessen added tls Issues and PRs related to the tls subsystem. semver-major PRs that contain breaking changes and should be released in the next major version. http2 Issues or PRs related to the http2 subsystem. labels Jul 28, 2022
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jul 28, 2022
edited by tniessen
Loading

Review requested:

  • @nodejs/crypto
  • @nodejs/http
  • @nodejs/http2
  • @nodejs/net
  • @nodejs/tsc

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Jul 28, 2022
@tniessen tniessen force-pushed the tls-http2-alpn-fatal branch from f26be98 to 3aa1c80 Compare July 28, 2022 22:01
@tniessen
tls,http2: send fatal alert on ALPN mismatch
21958e4 
To comply with RFC 7301, make TLS servers send a fatal alert during the
TLS handshake if both the client and the server are configured to use
ALPN and if the server does not support any of the protocols advertised
by the client.

This affects HTTP/2 servers. Until now, applications could intercept the
'unknownProtocol' event when the client either did not advertise any
protocols or if the list of protocols advertised by the client did not
include HTTP/2 (or HTTP/1.1 if allowHTTP1 was true). With this change,
only the first case can be handled, and the 'unknownProtocol' event will
not be emitted in the second case because the TLS handshake fails and no
secure connection is established.
@tniessen tniessen force-pushed the tls-http2-alpn-fatal branch from 3aa1c80 to 21958e4 Compare July 28, 2022 22:04
@tniessen tniessen added the security Issues and PRs related to security. label Jul 28, 2022
ShogunPanda
ShogunPanda approved these changes Jul 29, 2022
View reviewed changes
Copy link
Contributor

@ShogunPanda ShogunPanda left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

mcollina
mcollina approved these changes Jul 29, 2022
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@tniessen tniessen added the request-ci Add this label to start a Jenkins CI on a PR. label Jul 29, 2022
RafaelGSS
RafaelGSS approved these changes Jul 29, 2022
View reviewed changes
Copy link
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jul 29, 2022
@nodejs-github-bot
Copy link
Collaborator

nodejs-github-bot commented Jul 29, 2022

CI: https://ci.nodejs.org/job/node-test-pull-request/45727/

@tniessen tniessen added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jul 29, 2022
@mcollina mcollina added commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. commit-queue Add this label to land a pull request using GitHub Actions. labels Jul 29, 2022
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Jul 29, 2022
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@tniessen
Copy link
Member Author

tniessen commented Jul 29, 2022

cc @nodejs/tsc since this is semver-major.

@tniessen tniessen added review wanted PRs that need reviews. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. labels Jul 29, 2022
@tniessen
Copy link
Member Author

tniessen commented Aug 2, 2022

CitGM: https://ci.nodejs.org/view/Node.js-citgm/job/citgm-smoker/2976/

@tniessen
Copy link
Member Author

tniessen commented Aug 6, 2022

ping @nodejs/tsc @jasnell

mcollina
mcollina approved these changes Aug 7, 2022
View reviewed changes
Copy link
Member

@mcollina mcollina left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@tniessen tniessen removed the review wanted PRs that need reviews. label Aug 14, 2022
@RafaelGSS RafaelGSS mentioned this pull request Sep 13, 2022
Merged
@pimterry pimterry mentioned this pull request Oct 18, 2022
Closed
@pimterry pimterry mentioned this pull request May 26, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

@ShogunPanda ShogunPanda ShogunPanda approved these changes

@Trott Trott Trott approved these changes

@cjihrig cjihrig cjihrig approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

Assignees

No one assigned

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. crypto Issues and PRs related to the crypto subsystem. http2 Issues or PRs related to the http2 subsystem. needs-ci PRs that need a full CI run. security Issues and PRs related to security. semver-major PRs that contain breaking changes and should be released in the next major version. tls Issues and PRs related to the tls subsystem.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

7 participants

@tniessen @nodejs-github-bot @mcollina @ShogunPanda @Trott @cjihrig @RafaelGSS