changed H2Compliance to H2ModernTLSOnly, added description in module docs

git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1708815 13f79535-47bb-0310-9956-ffa450edef68
author: Stefan Eissing <icing@apache.org> 2015-10-15 15:14:37 +0200
committer: Stefan Eissing <icing@apache.org> 2015-10-15 15:14:37 +0200
commit: 8e878dc842d24d2c3edb91ff756b332710d88aac (patch)
tree: 76b919bf446532f7dfb30b3ace0d9a321c22fa5d /modules/http2
parent: mod_http2: new directive H2Compliance on/off, checking TLS protocol and ciphe... (diff)
download: apache2-8e878dc842d24d2c3edb91ff756b332710d88aac.tar.xz
apache2-8e878dc842d24d2c3edb91ff756b332710d88aac.zip
6 files changed, 48 insertions, 37 deletions
diff --git a/modules/http2/h2_config.c b/modules/http2/h2_config.c
index 85f8125488..45741ca712 100644
--- a/modules/http2/h2_config.c
+++ b/modules/http2/h2_config.c
@@ -49,7 +49,7 @@ static h2_config defconf = {
     0,                /* serialize headers */
     0,                /* h2 direct mode */
     -1,               /* # session extra files */
-    1,                /* rfc 7540 compliance */
+    1,                /* modern TLS only */
 };
 
 static int files_per_session = 0;
@@ -101,7 +101,7 @@ static void *h2_config_create(apr_pool_t *pool,
     conf->serialize_headers    = DEF_VAL;
     conf->h2_direct            = DEF_VAL;
     conf->session_extra_files  = DEF_VAL;
-    conf->rfc_compliance       = DEF_VAL;
+    conf->modern_tls_only      = DEF_VAL;
     return conf;
 }
 
@@ -140,7 +140,7 @@ void *h2_config_merge(apr_pool_t *pool, void *basev, void *addv)
     n->serialize_headers = H2_CONFIG_GET(add, base, serialize_headers);
     n->h2_direct      = H2_CONFIG_GET(add, base, h2_direct);
     n->session_extra_files = H2_CONFIG_GET(add, base, session_extra_files);
-    n->rfc_compliance = H2_CONFIG_GET(add, base, rfc_compliance);
+    n->modern_tls_only = H2_CONFIG_GET(add, base, modern_tls_only);
     
     return n;
 }
@@ -165,8 +165,8 @@ int h2_config_geti(h2_config *conf, h2_config_var_t var)
             return H2_CONFIG_GET(conf, &defconf, alt_svc_max_age);
         case H2_CONF_SER_HEADERS:
             return H2_CONFIG_GET(conf, &defconf, serialize_headers);
-        case H2_CONF_COMPLIANCE:
-            return H2_CONFIG_GET(conf, &defconf, rfc_compliance);
+        case H2_CONF_MODERN_TLS_ONLY:
+            return H2_CONFIG_GET(conf, &defconf, modern_tls_only);
         case H2_CONF_DIRECT:
             return H2_CONFIG_GET(conf, &defconf, h2_direct);
         case H2_CONF_SESSION_FILES:
@@ -337,16 +337,16 @@ static const char *h2_conf_set_direct(cmd_parms *parms,
     return "value must be On or Off";
 }
 
-static const char *h2_conf_set_compliance(cmd_parms *parms,
-                                          void *arg, const char *value)
+static const char *h2_conf_set_modern_tls_only(cmd_parms *parms,
+                                               void *arg, const char *value)
 {
     h2_config *cfg = h2_config_sget(parms->server);
     if (!strcasecmp(value, "On")) {
-        cfg->rfc_compliance = 1;
+        cfg->modern_tls_only = 1;
         return NULL;
     }
     else if (!strcasecmp(value, "Off")) {
-        cfg->rfc_compliance = 0;
+        cfg->modern_tls_only = 0;
         return NULL;
     }
     
@@ -376,8 +376,8 @@ const command_rec h2_cmds[] = {
                   RSRC_CONF, "set the maximum age (in seconds) that client can rely on alt-svc information"),
     AP_INIT_TAKE1("H2SerializeHeaders", h2_conf_set_serialize_headers, NULL,
                   RSRC_CONF, "on to enable header serialization for compatibility"),
-    AP_INIT_TAKE1("H2Compliance", h2_conf_set_compliance, NULL,
-                  RSRC_CONF, "off to disable strict compliance to RFC 7540"),
+    AP_INIT_TAKE1("H2ModernTLSOnly", h2_conf_set_modern_tls_only, NULL,
+                  RSRC_CONF, "off to not impose RFC 7540 restrictions on TLS"),
     AP_INIT_TAKE1("H2Direct", h2_conf_set_direct, NULL,
                   RSRC_CONF, "on to enable direct HTTP/2 mode"),
     AP_INIT_TAKE1("H2SessionExtraFiles", h2_conf_set_session_extra_files, NULL,
diff --git a/modules/http2/h2_config.h b/modules/http2/h2_config.h
index 60e1d089c1..83d899f5ab 100644
--- a/modules/http2/h2_config.h
+++ b/modules/http2/h2_config.h
@@ -34,7 +34,7 @@ typedef enum {
     H2_CONF_SER_HEADERS,
     H2_CONF_DIRECT,
     H2_CONF_SESSION_FILES,
-    H2_CONF_COMPLIANCE,
+    H2_CONF_MODERN_TLS_ONLY,
 } h2_config_var_t;
 
 /* Apache httpd module configuration for h2. */
@@ -52,7 +52,7 @@ typedef struct h2_config {
                                      processing, better compatibility */
     int h2_direct;                /* if mod_h2 is active directly */
     int session_extra_files;      /* # of extra files a session may keep open */  
-    int rfc_compliance;           /* Comply with all aspects of RFC 7540 */  
+    int modern_tls_only;          /* Accept only modern TLS in HTTP/2 connections */  
 } h2_config;
 
 
diff --git a/modules/http2/h2_conn.c b/modules/http2/h2_conn.c
index 82d11c721b..c2feeefdf7 100644
--- a/modules/http2/h2_conn.c
+++ b/modules/http2/h2_conn.c
@@ -178,7 +178,7 @@ apr_status_t h2_conn_main(conn_rec *c)
         return APR_EGENERAL;
     }
     
-    if (!h2_is_security_compliant(c, 1)) {
+    if (!h2_is_acceptable_connection(c, 1)) {
         nghttp2_submit_goaway(session->ngh2, NGHTTP2_FLAG_NONE, 0,
                               NGHTTP2_INADEQUATE_SECURITY, NULL, 0);
     } 
diff --git a/modules/http2/h2_h2.c b/modules/http2/h2_h2.c
index a707d2a75f..a1dcb2b81e 100644
--- a/modules/http2/h2_h2.c
+++ b/modules/http2/h2_h2.c
@@ -445,13 +445,14 @@ int h2_tls_disable(conn_rec *c)
     return 0;
 }
 
-int h2_is_security_compliant(conn_rec *c, int require_all) 
+int h2_is_acceptable_connection(conn_rec *c, int require_all) 
 {
     int is_tls = h2_h2_is_tls(c);
     h2_config *cfg = h2_config_get(c);
 
-    if (is_tls && h2_config_geti(cfg, H2_CONF_COMPLIANCE) > 0) {
-        /* Check TLS connection for RFC 7540 compliance
+    if (is_tls && h2_config_geti(cfg, H2_CONF_MODERN_TLS_ONLY) > 0) {
+        /* Check TLS connection for modern TLS parameters, as defined in
+         * RFC 7540 and https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility
          */
         apr_pool_t *pool = c->pool;
         server_rec *s = c->base_server;
@@ -581,27 +582,37 @@ int h2_h2_process_conn(conn_rec* c)
                     char *s = NULL;
                     apr_size_t slen;
                     
-                    if (!temp) {
-                        temp = apr_brigade_create(c->pool, c->bucket_alloc);
-                    }
-                    status = ap_get_brigade(c->input_filters, temp,
-                                            AP_MODE_SPECULATIVE, APR_BLOCK_READ, 24);
-                    if (status == APR_SUCCESS) {
-                        apr_brigade_pflatten(temp, &s, &slen, c->pool);
-                        if ((slen >= 24) && !memcmp(H2_MAGIC_TOKEN, s, 24)) {
-                            ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
-                                          "h2_h2, direct mode detected");
-                            h2_ctx_protocol_set(ctx, is_tls? "h2" : "h2c");
+                    /* 
+                     * Verify that all connection requirements are met. 
+                     */
+                    if (h2_is_acceptable_connection(c, 1)) {
+                        if (!temp) {
+                            temp = apr_brigade_create(c->pool, c->bucket_alloc);
+                        }
+                        status = ap_get_brigade(c->input_filters, temp,
+                                                AP_MODE_SPECULATIVE, APR_BLOCK_READ, 24);
+                        if (status == APR_SUCCESS) {
+                            apr_brigade_pflatten(temp, &s, &slen, c->pool);
+                            if ((slen >= 24) && !memcmp(H2_MAGIC_TOKEN, s, 24)) {
+                                ap_log_cerror(APLOG_MARK, APLOG_TRACE1, 0, c,
+                                              "h2_h2, direct mode detected");
+                                h2_ctx_protocol_set(ctx, is_tls? "h2" : "h2c");
+                            }
+                            else {
+                                ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
+                                              "h2_h2, not detected in %d bytes: %s", 
+                                              (int)slen, s);
+                            }
                         }
                         else {
-                            ap_log_cerror(APLOG_MARK, APLOG_TRACE2, 0, c,
-                                          "h2_h2, not detected in %d bytes: %s", 
-                                          (int)slen, s);
+                            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c,
+                                          "h2_h2, error reading 24 bytes speculative");
                         }
                     }
                     else {
                         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, status, c,
-                                      "h2_h2, error reading 24 bytes speculative");
+                                      "h2_h2, passed on direct mode, connection"
+                                      " does not meet requirements");
                     }
                 }
             }
diff --git a/modules/http2/h2_h2.h b/modules/http2/h2_h2.h
index fd08caa34b..6a7c416c90 100644
--- a/modules/http2/h2_h2.h
+++ b/modules/http2/h2_h2.h
@@ -54,15 +54,15 @@ int h2_tls_disable(conn_rec *c);
 void h2_h2_register_hooks(void);
 
 /**
- * Check if the given connection fulfills the security requirements
- * of RFC 7540.
+ * Check if the given connection fulfills the (security) requirements
+ * defined in the configuration.
  * @param c the connection
  * @param require_all != 0 iff any missing connection properties make
  *    the test fail. For example, a cipher might not have been selected while
  *    the handshake is still ongoing.
  * @return != 0 iff security requirements are met
  */
-int h2_is_security_compliant(conn_rec *c, int require_all);
+int h2_is_acceptable_connection(conn_rec *c, int require_all);
 
 
 #endif /* defined(__mod_h2__h2_h2__) */
diff --git a/modules/http2/h2_switch.c b/modules/http2/h2_switch.c
index b21a621e47..0dd43f3295 100644
--- a/modules/http2/h2_switch.c
+++ b/modules/http2/h2_switch.c
@@ -63,9 +63,9 @@ static int h2_protocol_propose(conn_rec *c, request_rec *r,
         return DECLINED;
     }
     
-    if (!h2_is_security_compliant(c, 0)) {
+    if (!h2_is_acceptable_connection(c, 0)) {
         ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c,
-                      "protocol propose: security requirements not met, declined");
+                      "protocol propose: connection requirements not met");
         return DECLINED;
     }
author	Stefan Eissing <icing@apache.org>	2015-10-15 15:14:37 +0200
committer	Stefan Eissing <icing@apache.org>	2015-10-15 15:14:37 +0200
commit	8e878dc842d24d2c3edb91ff756b332710d88aac (patch)
tree	76b919bf446532f7dfb30b3ace0d9a321c22fa5d /modules/http2
parent	mod_http2: new directive H2Compliance on/off, checking TLS protocol and ciphe... (diff)
download	apache2-8e878dc842d24d2c3edb91ff756b332710d88aac.tar.xz apache2-8e878dc842d24d2c3edb91ff756b332710d88aac.zip