nghttpx: Drop connection if HTTP/2 security level is not satisfied on backend

2014-06-11 00:19:54 +09:00 · 2014-06-11 00:19:54 +09:00 · 24762db8f5
parent 492b42e6e9
commit 24762db8f5
1 changed files with 21 additions and 6 deletions
--- a/src/shrpx_http2_session.cc
+++ b/src/shrpx_http2_session.cc
@ -257,14 +257,13 @@ void eventcb(bufferevent *bev, short events, void *ptr)
      SSLOG(INFO, http2session) << "Connection established";
    }
    http2session->set_state(Http2Session::CONNECTED);
-    if(!get_config()->downstream_no_tls) {
-      if(!ssl::check_http2_requirement(http2session->get_ssl()) ||
-         (!get_config()->insecure && http2session->check_cert() != 0)) {
+    if(!get_config()->downstream_no_tls &&
+       !get_config()->insecure &&
+       http2session->check_cert() != 0) {

-        http2session->disconnect();
+      http2session->disconnect();

-        return;
-      }
+      return;
    }

    if(http2session->on_connect() != 0) {
@ -1268,11 +1267,27 @@ int Http2Session::on_connect()
    return -1;
  }

+  if(!get_config()->downstream_no_tls &&
+     !ssl::check_http2_requirement(ssl_)) {
+
+    rv = terminate_session(NGHTTP2_INADEQUATE_SECURITY);
+
+    if(rv != 0) {
+      return -1;
+    }
+  }
+
  rv = send();
  if(rv != 0) {
    return -1;
  }

+  if(!get_config()->downstream_no_tls &&
+     !ssl::check_http2_requirement(ssl_)) {
+
+    return 0;
+  }
+
  // submit pending request
  for(auto dconn : dconns_) {
    if(dconn->push_request_headers() != 0) {