SSL: reject unsupported protocols "negotiated" during handshake

[Maxim Dounin]

Hello!

On Wed, Apr 03, 2013 at 03:16:14PM -0700, Piotr Sikora wrote:

> Hey Maxim,
> 
> > Do we care?  I think it's ok to assume HTTP by default, even if a
> > client sent something different from what we've advertised.
> 
> I'm not sure about you, but I do. I don't see a point in trying to
> process something that is known to fail down the line... Especially,
> if it produces noise in the logs.
> 
> Right now, forced SPDY/3 request is logged like that:
> 
> access.log:
> 127.0.0.1 - - [03/Apr/2013:14:05:10 -0700]
> "\x80\x03\x00\x01\x01\x00\x00\xDB\x00\x00\x00\x01\x00\x00\x00\x00`\x0080\xE3\xC6\xA7\xC2\x00\xC1\x00>\xFF\x00\x00\x00\x08\x00\x00\x00\x05:host\x00\x00\x00\x10example.net:7070\x00\x00\x00\x07:method\x00\x00\x00\x03GET\x00\x00\x00\x05:path\x00\x00\x00\x01/\x00\x00\x00\x07:scheme\x00\x00\x00\x05https\x00\x00\x00\x08:version\x00\x00\x00\x08HTTP/1.1\x00\x00\x00\x06accept\x00\x00\x00\x03*/*\x00\x00\x00\x0Faccept-encoding\x00\x00\x00"
> 400 189 "-" "-"
> 
> error.log:
> 2013/04/03 14:05:10 [info] 54833#0: *4 client sent invalid method
> while reading client request line, client: 127.0.0.1, server: _,
> request: "?`80??>:hostexample.net:7070:methodGET:path/:schemehttp:versioHTTP/1.1accept*/*accept-encoding"
> 
> vs patched:
> 
> error.log:
> 2013/04/03 14:08:59 [error] 55828#0: *1 client negotiated unsupported
> protocol "spdy/3" while SSL handshaking, client: 127.0.0.1, server:
> 0.0.0.0:7070

As long as this is something _forced_ and doesn't happen as normal 
behaviour of some clients, I would rather preserve current 
behaviour.  For me it looks better to assume HTTP for something 
which is not HTTP rather than reject HTTP which e.g. happened to 
be hardcoded to claim HTTP/1.0 instead of HTTP/1.1 we advertise.

If "spdy/3" happens to generate too much noise in logs as observed 
in real life - we may consider blocking it specifically.

-- 
Maxim Dounin
http://nginx.org/en/donation.html