mirror of
https://gitee.com/openharmony/third_party_nghttp2
synced 2024-11-23 07:50:02 +00:00
Replace black-list with block-list
nghttpx --no-http2-cipher-black-list and --client-no-http2-cipher-black-list are deprecated and replaced with --no-http2-cipher-block-list and --client-no-http2-cipher-block-list respectively.
This commit is contained in:
parent
617a5766a2
commit
cef458c31c
@ -445,10 +445,10 @@ nghttpx server accepts any of the identity and secret pairs in the
|
||||
file. The default cipher suite list does not contain PSK cipher
|
||||
suites. In order to use PSK, PSK cipher suite must be enabled by
|
||||
using :option:`--ciphers` option. The desired PSK cipher suite may be
|
||||
listed in `HTTP/2 cipher black list
|
||||
listed in `HTTP/2 cipher block list
|
||||
<https://tools.ietf.org/html/rfc7540#appendix-A>`_. In order to use
|
||||
such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by
|
||||
using :option:`--no-http2-cipher-black-list` option. But you should
|
||||
such PSK cipher suite with HTTP/2, disable HTTP/2 cipher block list by
|
||||
using :option:`--no-http2-cipher-block-list` option. But you should
|
||||
understand its implications.
|
||||
|
||||
At the time of writing, even if only PSK cipher suites are specified
|
||||
@ -468,10 +468,10 @@ used, like so:
|
||||
The default cipher suite list does not contain PSK cipher suites. In
|
||||
order to use PSK, PSK cipher suite must be enabled by using
|
||||
:option:`--client-ciphers` option. The desired PSK cipher suite may
|
||||
be listed in `HTTP/2 cipher black list
|
||||
be listed in `HTTP/2 cipher block list
|
||||
<https://tools.ietf.org/html/rfc7540#appendix-A>`_. In order to use
|
||||
such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by
|
||||
using :option:`--client-no-http2-cipher-black-list` option. But you
|
||||
such PSK cipher suite with HTTP/2, disable HTTP/2 cipher block list by
|
||||
using :option:`--client-no-http2-cipher-block-list` option. But you
|
||||
should understand its implications.
|
||||
|
||||
TLSv1.3
|
||||
@ -516,10 +516,10 @@ As of nghttpx v1.19.0, :option:`--ciphers` option only changes cipher
|
||||
list for frontend TLS connection. In order to change cipher list for
|
||||
backend connection, use :option:`--client-ciphers` option.
|
||||
|
||||
Similarly, :option:`--no-http2-cipher-black-list` option only disables
|
||||
HTTP/2 cipher black list for frontend connection. In order to disable
|
||||
HTTP/2 cipher black list for backend connection, use
|
||||
:option:`--client-no-http2-cipher-black-list` option.
|
||||
Similarly, :option:`--no-http2-cipher-block-list` option only disables
|
||||
HTTP/2 cipher block list for frontend connection. In order to disable
|
||||
HTTP/2 cipher block list for backend connection, use
|
||||
:option:`--client-no-http2-cipher-block-list` option.
|
||||
|
||||
``--accept-proxy-protocol`` option was deprecated. Instead, use
|
||||
``proxyproto`` parameter in :option:`--frontend` option to enable
|
||||
|
@ -113,6 +113,7 @@ OPTIONS = [
|
||||
"max-request-header-fields",
|
||||
"header-field-buffer",
|
||||
"max-header-fields",
|
||||
"no-http2-cipher-block-list",
|
||||
"no-http2-cipher-black-list",
|
||||
"backend-http1-tls",
|
||||
"tls-session-cache-memcached-cert-file",
|
||||
@ -155,6 +156,7 @@ OPTIONS = [
|
||||
"frontend-keep-alive-timeout",
|
||||
"psk-secrets",
|
||||
"client-psk-secrets",
|
||||
"client-no-http2-cipher-block-list",
|
||||
"client-no-http2-cipher-black-list",
|
||||
"client-ciphers",
|
||||
"accesslog-write-early",
|
||||
|
33
src/shrpx.cc
33
src/shrpx.cc
@ -2388,16 +2388,16 @@ SSL/TLS:
|
||||
TLS HTTP/2 backends.
|
||||
Default: )"
|
||||
<< util::duration_str(config->tls.dyn_rec.idle_timeout) << R"(
|
||||
--no-http2-cipher-black-list
|
||||
Allow black listed cipher suite on frontend HTTP/2
|
||||
--no-http2-cipher-block-list
|
||||
Allow block listed cipher suite on frontend HTTP/2
|
||||
connection. See
|
||||
https://tools.ietf.org/html/rfc7540#appendix-A for the
|
||||
complete HTTP/2 cipher suites black list.
|
||||
--client-no-http2-cipher-black-list
|
||||
Allow black listed cipher suite on backend HTTP/2
|
||||
complete HTTP/2 cipher suites block list.
|
||||
--client-no-http2-cipher-block-list
|
||||
Allow block listed cipher suite on backend HTTP/2
|
||||
connection. See
|
||||
https://tools.ietf.org/html/rfc7540#appendix-A for the
|
||||
complete HTTP/2 cipher suites black list.
|
||||
complete HTTP/2 cipher suites block list.
|
||||
--tls-sct-dir=<DIR>
|
||||
Specifies the directory where *.sct files exist. All
|
||||
*.sct files in <DIR> are read, and sent as
|
||||
@ -2416,9 +2416,9 @@ SSL/TLS:
|
||||
are skipped. The default enabled cipher list might not
|
||||
contain any PSK cipher suite. In that case, desired PSK
|
||||
cipher suites must be enabled using --ciphers option.
|
||||
The desired PSK cipher suite may be black listed by
|
||||
The desired PSK cipher suite may be block listed by
|
||||
HTTP/2. To use those cipher suites with HTTP/2,
|
||||
consider to use --no-http2-cipher-black-list option.
|
||||
consider to use --no-http2-cipher-block-list option.
|
||||
But be aware its implications.
|
||||
--client-psk-secrets=<PATH>
|
||||
Read PSK identity and secrets from <PATH>. This is used
|
||||
@ -2430,9 +2430,9 @@ SSL/TLS:
|
||||
The default enabled cipher list might not contain any
|
||||
PSK cipher suite. In that case, desired PSK cipher
|
||||
suites must be enabled using --client-ciphers option.
|
||||
The desired PSK cipher suite may be black listed by
|
||||
The desired PSK cipher suite may be block listed by
|
||||
HTTP/2. To use those cipher suites with HTTP/2,
|
||||
consider to use --client-no-http2-cipher-black-list
|
||||
consider to use --client-no-http2-cipher-block-list
|
||||
option. But be aware its implications.
|
||||
--tls-no-postpone-early-data
|
||||
By default, nghttpx postpones forwarding HTTP requests
|
||||
@ -3531,6 +3531,9 @@ int main(int argc, char **argv) {
|
||||
{SHRPX_OPT_TLS13_CLIENT_CIPHERS.c_str(), required_argument, &flag, 165},
|
||||
{SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA.c_str(), no_argument, &flag,
|
||||
166},
|
||||
{SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST.c_str(), no_argument, &flag, 167},
|
||||
{SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST.c_str(), no_argument,
|
||||
&flag, 168},
|
||||
{nullptr, 0, nullptr, 0}};
|
||||
|
||||
int option_index = 0;
|
||||
@ -4324,6 +4327,16 @@ int main(int argc, char **argv) {
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA,
|
||||
StringRef::from_lit("yes"));
|
||||
break;
|
||||
case 167:
|
||||
// --no-http2-cipher-block-list
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST,
|
||||
StringRef::from_lit("yes"));
|
||||
break;
|
||||
case 168:
|
||||
// --client-no-http2-cipher-block-list
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST,
|
||||
StringRef::from_lit("yes"));
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
@ -2282,6 +2282,9 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||
if (util::strieq_l("no-http2-cipher-black-lis", name, 25)) {
|
||||
return SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST;
|
||||
}
|
||||
if (util::strieq_l("no-http2-cipher-block-lis", name, 25)) {
|
||||
return SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST;
|
||||
}
|
||||
break;
|
||||
}
|
||||
break;
|
||||
@ -2403,6 +2406,9 @@ int option_lookup_token(const char *name, size_t namelen) {
|
||||
if (util::strieq_l("client-no-http2-cipher-black-lis", name, 32)) {
|
||||
return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST;
|
||||
}
|
||||
if (util::strieq_l("client-no-http2-cipher-block-lis", name, 32)) {
|
||||
return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST;
|
||||
}
|
||||
break;
|
||||
}
|
||||
break;
|
||||
@ -3487,8 +3493,11 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||
return 0;
|
||||
}
|
||||
case SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST:
|
||||
config->tls.no_http2_cipher_black_list = util::strieq_l("yes", optarg);
|
||||
|
||||
LOG(WARN) << opt << ": deprecated. Use "
|
||||
<< SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead.";
|
||||
// fall through
|
||||
case SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST:
|
||||
config->tls.no_http2_cipher_block_list = util::strieq_l("yes", optarg);
|
||||
return 0;
|
||||
case SHRPX_OPTID_BACKEND_HTTP1_TLS:
|
||||
case SHRPX_OPTID_BACKEND_TLS:
|
||||
@ -3690,7 +3699,11 @@ int parse_config(Config *config, int optid, const StringRef &opt,
|
||||
return 0;
|
||||
#endif // LIBRESSL_LEGACY_API
|
||||
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
|
||||
config->tls.client.no_http2_cipher_black_list =
|
||||
LOG(WARN) << opt << ": deprecated. Use "
|
||||
<< SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead.";
|
||||
// fall through
|
||||
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST:
|
||||
config->tls.client.no_http2_cipher_block_list =
|
||||
util::strieq_l("yes", optarg);
|
||||
|
||||
return 0;
|
||||
|
@ -244,6 +244,8 @@ constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER =
|
||||
StringRef::from_lit("response-header-field-buffer");
|
||||
constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS =
|
||||
StringRef::from_lit("max-response-header-fields");
|
||||
constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST =
|
||||
StringRef::from_lit("no-http2-cipher-block-list");
|
||||
constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST =
|
||||
StringRef::from_lit("no-http2-cipher-black-list");
|
||||
constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS =
|
||||
@ -322,6 +324,8 @@ constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT =
|
||||
constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets");
|
||||
constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS =
|
||||
StringRef::from_lit("client-psk-secrets");
|
||||
constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST =
|
||||
StringRef::from_lit("client-no-http2-cipher-block-list");
|
||||
constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST =
|
||||
StringRef::from_lit("client-no-http2-cipher-black-list");
|
||||
constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers");
|
||||
@ -652,7 +656,7 @@ struct TLSConfig {
|
||||
StringRef cert_file;
|
||||
StringRef ciphers;
|
||||
StringRef tls13_ciphers;
|
||||
bool no_http2_cipher_black_list;
|
||||
bool no_http2_cipher_block_list;
|
||||
} client;
|
||||
|
||||
// PSK secrets. The key is identity, and the associated value is
|
||||
@ -688,7 +692,7 @@ struct TLSConfig {
|
||||
int min_proto_version;
|
||||
int max_proto_version;
|
||||
bool insecure;
|
||||
bool no_http2_cipher_black_list;
|
||||
bool no_http2_cipher_block_list;
|
||||
// true if forwarding requests included in TLS early data should not
|
||||
// be postponed until TLS handshake finishes.
|
||||
bool no_postpone_early_data;
|
||||
@ -1066,6 +1070,7 @@ enum {
|
||||
SHRPX_OPTID_CLIENT_CERT_FILE,
|
||||
SHRPX_OPTID_CLIENT_CIPHERS,
|
||||
SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
|
||||
SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST,
|
||||
SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
|
||||
SHRPX_OPTID_CLIENT_PROXY,
|
||||
SHRPX_OPTID_CLIENT_PSK_SECRETS,
|
||||
@ -1121,6 +1126,7 @@ enum {
|
||||
SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO,
|
||||
SHRPX_OPTID_NO_HOST_REWRITE,
|
||||
SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST,
|
||||
SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST,
|
||||
SHRPX_OPTID_NO_KQUEUE,
|
||||
SHRPX_OPTID_NO_LOCATION_REWRITE,
|
||||
SHRPX_OPTID_NO_OCSP,
|
||||
|
@ -616,18 +616,18 @@ int Connection::check_http2_requirement() {
|
||||
return -1;
|
||||
}
|
||||
|
||||
auto check_black_list = false;
|
||||
auto check_block_list = false;
|
||||
if (tls.server_handshake) {
|
||||
check_black_list = !get_config()->tls.no_http2_cipher_black_list;
|
||||
check_block_list = !get_config()->tls.no_http2_cipher_block_list;
|
||||
} else {
|
||||
check_black_list = !get_config()->tls.client.no_http2_cipher_black_list;
|
||||
check_block_list = !get_config()->tls.client.no_http2_cipher_block_list;
|
||||
}
|
||||
|
||||
if (check_black_list &&
|
||||
nghttp2::tls::check_http2_cipher_black_list(tls.ssl)) {
|
||||
if (check_block_list &&
|
||||
nghttp2::tls::check_http2_cipher_block_list(tls.ssl)) {
|
||||
if (LOG_ENABLED(INFO)) {
|
||||
LOG(INFO) << "The negotiated cipher suite is in HTTP/2 cipher suite "
|
||||
"black list. HTTP/2 must not be used.";
|
||||
"block list. HTTP/2 must not be used.";
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
|
@ -117,7 +117,7 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl) {
|
||||
}
|
||||
|
||||
/* Conditional logic w/ lookup tables to check if id is one of the
|
||||
the black listed cipher suites for HTTP/2 described in RFC 7540.
|
||||
the block listed cipher suites for HTTP/2 described in RFC 7540.
|
||||
https://github.com/jay/http2_blacklisted_ciphers
|
||||
*/
|
||||
#define IS_CIPHER_BANNED_METHOD2(id) \
|
||||
@ -132,7 +132,7 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl) {
|
||||
[(id & 0xFF) / 8] & \
|
||||
(1 << (id % 8))))
|
||||
|
||||
bool check_http2_cipher_black_list(SSL *ssl) {
|
||||
bool check_http2_cipher_block_list(SSL *ssl) {
|
||||
int id = SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)) & 0xFFFFFF;
|
||||
|
||||
return IS_CIPHER_BANNED_METHOD2(id);
|
||||
@ -145,7 +145,7 @@ bool check_http2_tls_version(SSL *ssl) {
|
||||
}
|
||||
|
||||
bool check_http2_requirement(SSL *ssl) {
|
||||
return check_http2_tls_version(ssl) && !check_http2_cipher_black_list(ssl);
|
||||
return check_http2_tls_version(ssl) && !check_http2_cipher_block_list(ssl);
|
||||
}
|
||||
|
||||
void libssl_init() {
|
||||
|
@ -87,14 +87,14 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl);
|
||||
bool check_http2_tls_version(SSL *ssl);
|
||||
|
||||
// Returns true iff the negotiated cipher suite is in HTTP/2 cipher
|
||||
// black list.
|
||||
bool check_http2_cipher_black_list(SSL *ssl);
|
||||
// block list.
|
||||
bool check_http2_cipher_block_list(SSL *ssl);
|
||||
|
||||
// Returns true if SSL/TLS requirement for HTTP/2 is fulfilled.
|
||||
// To fulfill the requirement, the following 2 terms must be hold:
|
||||
//
|
||||
// 1. The negotiated protocol must be TLSv1.2.
|
||||
// 2. The negotiated cipher cuite is not listed in the black list
|
||||
// 2. The negotiated cipher cuite is not listed in the block list
|
||||
// described in RFC 7540.
|
||||
bool check_http2_requirement(SSL *ssl);
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user