Parsing ClientHello Message for HTTP/2 Upgrade Request -- How do I do this?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Parsing ClientHello Message for HTTP/2 Upgrade Request -- How do I do this?

Osman Zakir
Hi, everyone.

As I said in the subject, I want to know how to parse the ClientHello message to find the HTTP/2 upgrade request if it's there.  I'm using Boost.BEAST for HTTPS, but it only has support for HTTP/1.1 so I need to write code for supporting HTTP/2 myself if I want that.  



I host the app on my own computer.  The source code is on GitHub here: https://github.com/DragonOsman/currency_converter .  The URL is https://dragonosman.dynu.net:5501/ .  Any help is appreciated.  Thanks.
Reply | Threaded
Open this post in threaded view
|

RE: Parsing ClientHello Message for HTTP/2 Upgrade Request -- How do I do this?

Michael Wojcik
> From: openssl-users <[hidden email]> On Behalf Of Osman Zakir
> Sent: Friday, 28 August, 2020 11:52

> As I said in the subject, I want to know how to parse the ClientHello message
> to find the HTTP/2 upgrade request if it's there.

I've never had to do this myself, but my understanding is that a client can request HTTP/2 in the ClientHello using ALPN. So presumably on the server side you want to register an ALPN callback with SSL_CTX_set_alpn_select_cb. What you *shouldn't* be doing, if you're using OpenSSL, is parsing any TLS message yourself.

Of course, HTTP/2 upgrade can also be done at the HTTP protocol level, which seems like a far more sensible choice to me.

> I need to write code for supporting HTTP/2 myself if I want that.

Here's the real question: Why would you want HTTP/2?

HTTP/2 offers only marginal advantages over HTTP/1.1 for most applications. Its main justification is for server farms handling huge workloads. And, frankly, even for that use case I tend to agree with Poul-Henning Kamp (https://cacm.acm.org/magazines/2015/3/183605-http-2-0/fulltext). HTTP/2 is a lousy protocol created to cater to the needs of a handful of large industry players.

By supporting it, you're substantially increasing your attack surface and adding complexity, both of which are Really Bad Ideas for security.

If you must have HTTP/2, I recommend negotiating it at the HTTP protocol level. Don't add complexity at the crypto-protocol level (i.e. TLS) if you don't have to. That's a recipe for vulnerabilities.

--
Michael Wojcik