Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net/http: HTTP/2 cipher suites validation #14622

Closed
trajber opened this issue Mar 3, 2016 · 3 comments
Closed

net/http: HTTP/2 cipher suites validation #14622

trajber opened this issue Mar 3, 2016 · 3 comments
Milestone

Comments

@trajber
Copy link

trajber commented Mar 3, 2016

If tls.Config.CipherSuites is set with an invalid sequence and the http.Server.TLSConfig is set with it, the http.Server.Serve method returns an error.

Since http.Server.Start will update the http.Server.TLSConfig if it can, why http.Server.Serve method doesn't returns an error when an invalid cipher sequence is used like on the following example?

http://play.golang.org/p/KGe4oi_6Eh

@rakyll rakyll changed the title HTTP/2 cipher suites validation net/http: HTTP/2 cipher suites validation Mar 3, 2016
@rakyll
Copy link
Contributor

rakyll commented Mar 3, 2016

/cc @bradfitz

@bradfitz bradfitz self-assigned this Apr 10, 2016
@bradfitz bradfitz added this to the Go1.7 milestone Apr 10, 2016
@bradfitz
Copy link
Contributor

why http.Server.Serve method doesn't returns an error when an invalid cipher sequence is used like on the following example?

Because you used different *tls.Config values for the http.Server and the TLS listener you manually created and passed to http.Server.Serve(net.Listener). Note that crypto/tls.NewListener doesn't return an inspectable type. The http package can't tell that what its TLS config is.

There's not much we can do here. At least we'll catch it later at connection accept time. Good enough.

What you can do though is not pass different TLS configs. Or just use ListenAndServeTLS and don't worry about creating your own listener.

@odeke-em
Copy link
Member

Yap, thanks @bradfitz for confirming this. I tried solving this last weekend but in vain with the same conclusion that we can inspect the listener from crypto/tls.NewListener.

@golang golang locked and limited conversation to collaborators May 18, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

5 participants