SSL: reject unsupported protocols "negotiated" during handshake
Maxim Dounin
mdounin at mdounin.ru
Thu Apr 4 14:40:10 UTC 2013
Hello!
On Wed, Apr 03, 2013 at 03:16:14PM -0700, Piotr Sikora wrote:
> Hey Maxim,
>
> > Do we care? I think it's ok to assume HTTP by default, even if a
> > client sent something different from what we've advertised.
>
> I'm not sure about you, but I do. I don't see a point in trying to
> process something that is known to fail down the line... Especially,
> if it produces noise in the logs.
>
> Right now, forced SPDY/3 request is logged like that:
>
> access.log:
> 127.0.0.1 - - [03/Apr/2013:14:05:10 -0700]
> "\x80\x03\x00\x01\x01\x00\x00\xDB\x00\x00\x00\x01\x00\x00\x00\x00`\x0080\xE3\xC6\xA7\xC2\x00\xC1\x00>\xFF\x00\x00\x00\x08\x00\x00\x00\x05:host\x00\x00\x00\x10example.net:7070\x00\x00\x00\x07:method\x00\x00\x00\x03GET\x00\x00\x00\x05:path\x00\x00\x00\x01/\x00\x00\x00\x07:scheme\x00\x00\x00\x05https\x00\x00\x00\x08:version\x00\x00\x00\x08HTTP/1.1\x00\x00\x00\x06accept\x00\x00\x00\x03*/*\x00\x00\x00\x0Faccept-encoding\x00\x00\x00"
> 400 189 "-" "-"
>
> error.log:
> 2013/04/03 14:05:10 [info] 54833#0: *4 client sent invalid method
> while reading client request line, client: 127.0.0.1, server: _,
> request: "?`80??>:hostexample.net:7070:methodGET:path/:schemehttp:versioHTTP/1.1accept*/*accept-encoding"
>
> vs patched:
>
> error.log:
> 2013/04/03 14:08:59 [error] 55828#0: *1 client negotiated unsupported
> protocol "spdy/3" while SSL handshaking, client: 127.0.0.1, server:
> 0.0.0.0:7070
As long as this is something _forced_ and doesn't happen as normal
behaviour of some clients, I would rather preserve current
behaviour. For me it looks better to assume HTTP for something
which is not HTTP rather than reject HTTP which e.g. happened to
be hardcoded to claim HTTP/1.0 instead of HTTP/1.1 we advertise.
If "spdy/3" happens to generate too much noise in logs as observed
in real life - we may consider blocking it specifically.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx-devel
mailing list