SSL: reject unsupported protocols "negotiated" during handshake

Piotr Sikora piotr at cloudflare.com
Wed Apr 3 22:16:14 UTC 2013


Hey Maxim,

> Do we care?  I think it's ok to assume HTTP by default, even if a
> client sent something different from what we've advertised.

I'm not sure about you, but I do. I don't see a point in trying to
process something that is known to fail down the line... Especially,
if it produces noise in the logs.

Right now, forced SPDY/3 request is logged like that:

access.log:
127.0.0.1 - - [03/Apr/2013:14:05:10 -0700]
"\x80\x03\x00\x01\x01\x00\x00\xDB\x00\x00\x00\x01\x00\x00\x00\x00`\x0080\xE3\xC6\xA7\xC2\x00\xC1\x00>\xFF\x00\x00\x00\x08\x00\x00\x00\x05:host\x00\x00\x00\x10example.net:7070\x00\x00\x00\x07:method\x00\x00\x00\x03GET\x00\x00\x00\x05:path\x00\x00\x00\x01/\x00\x00\x00\x07:scheme\x00\x00\x00\x05https\x00\x00\x00\x08:version\x00\x00\x00\x08HTTP/1.1\x00\x00\x00\x06accept\x00\x00\x00\x03*/*\x00\x00\x00\x0Faccept-encoding\x00\x00\x00"
400 189 "-" "-"

error.log:
2013/04/03 14:05:10 [info] 54833#0: *4 client sent invalid method
while reading client request line, client: 127.0.0.1, server: _,
request: "?`80??>:hostexample.net:7070:methodGET:path/:schemehttp:versioHTTP/1.1accept*/*accept-encoding"

vs patched:

error.log:
2013/04/03 14:08:59 [error] 55828#0: *1 client negotiated unsupported
protocol "spdy/3" while SSL handshaking, client: 127.0.0.1, server:
0.0.0.0:7070

Best regards,
Piotr Sikora



More information about the nginx-devel mailing list