Disable h2 prior knowledge on tls (#11881)

* Don't allow using HTTP/2 prior knowledge on TLS connections * Update debug log message * Use ALPN on autest tls_0rtt_server * Add a comment (cherry picked from commit 5c0b039)
apache · Jan 24, 2025 · ca66fd6 · ca66fd6
1 parent acdc131
commit ca66fd6
Showing 1 changed file with 7 additions and 1 deletion.
diff --git a/src/proxy/ProtocolProbeSessionAccept.cc b/src/proxy/ProtocolProbeSessionAccept.cc
@@ -136,7 +136,13 @@ struct ProtocolProbeTrampoline : public Continuation, public ProtocolProbeSessio
     } // end of Proxy Protocol processing
 
     if (proto_is_http2(reader)) {
-      key = PROTO_HTTP2;
+      if (netvc->get_service<TLSBasicSupport>() == nullptr) {
+        key = PROTO_HTTP2;
+      } else {
+        // RFC 9113 Section 3.3: Prior knowledge is only permissible for HTTP/2 over plaintext (non-TLS) connections.
+        Dbg(dbg_ctl_http, "HTTP/2 prior knowledge was used on a TLS connection (protocol violation). Selecting HTTP/1 instead.");
+        key = PROTO_HTTP;
+      }
     } else {
       key = PROTO_HTTP;
     }