fix: skip h2c preface detection on TLS streams#826
Open
cph816 wants to merge 2 commits intocloudflare:mainfrom
Open
fix: skip h2c preface detection on TLS streams#826cph816 wants to merge 2 commits intocloudflare:mainfrom
cph816 wants to merge 2 commits intocloudflare:mainfrom
Conversation
h2c (HTTP/2 cleartext) preface detection should only run on cleartext TCP connections. On TLS, ALPN negotiates the protocol during the handshake. When h2c is enabled and both TCP and TLS listeners share a service, preface detection runs on TLS streams too. On TLS, try_peek returns peeked=false, leaving h2c=true unconditionally. This forces all TLS connections into the HTTP/2 branch, breaking HTTP/1.1 clients. Fix: check get_ssl_digest().is_some() to detect TLS and skip h2c detection, letting the existing ALPN check decide the protocol.
cph816
force-pushed
the
cph816/fix-h2c-tls
branch
from
fba40db to
c1af22d
Compare
cph816
force-pushed
the
cph816/fix-h2c-tls
branch
from
c1af22d to
08af462
Compare
drcaramelsyrup
added
bug
andrewhavck
added
the
Accepted
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
h2c (HTTP/2 cleartext) preface detection should only run on cleartext TCP connections. On TLS, ALPN negotiates the protocol during the handshake.
When h2c is enabled and both TCP and TLS listeners share a service, preface detection runs on TLS streams too. On TLS, try_peek returns peeked=false, leaving h2c=true unconditionally. This forces all TLS connections into the HTTP/2 branch, breaking HTTP/1.1 clients.
Fix: check get_ssl_digest().is_some() to detect TLS and skip h2c detection, letting the existing ALPN check decide the protocol.
Verification:
test_h1_tls_with_h2c_enabled fails without this fix
Reproduction
h2c = truecurl --http1.1 https://...)HTTP/2 requests to the TLS port (via ALPN) work fine.
HTTP/1.1 requests to the TCP port also work fine (h2c peek correctly detects HTTP/1.1