From 24762db8f5585d8af2275a1c13a006ffed35bc6d Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Wed, 11 Jun 2014 00:19:54 +0900
Subject: [PATCH] nghttpx: Drop connection if HTTP/2 security level is not
 satisfied on backend

---
 src/shrpx_http2_session.cc | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/shrpx_http2_session.cc b/src/shrpx_http2_session.cc
index d44ec3ee..95cb69eb 100644
--- a/src/shrpx_http2_session.cc
+++ b/src/shrpx_http2_session.cc
@@ -257,14 +257,13 @@ void eventcb(bufferevent *bev, short events, void *ptr)
       SSLOG(INFO, http2session) << "Connection established";
     }
     http2session->set_state(Http2Session::CONNECTED);
-    if(!get_config()->downstream_no_tls) {
-      if(!ssl::check_http2_requirement(http2session->get_ssl()) ||
-         (!get_config()->insecure && http2session->check_cert() != 0)) {
+    if(!get_config()->downstream_no_tls &&
+       !get_config()->insecure &&
+       http2session->check_cert() != 0) {
 
-        http2session->disconnect();
+      http2session->disconnect();
 
-        return;
-      }
+      return;
     }
 
     if(http2session->on_connect() != 0) {
@@ -1268,11 +1267,27 @@ int Http2Session::on_connect()
     return -1;
   }
 
+  if(!get_config()->downstream_no_tls &&
+     !ssl::check_http2_requirement(ssl_)) {
+
+    rv = terminate_session(NGHTTP2_INADEQUATE_SECURITY);
+
+    if(rv != 0) {
+      return -1;
+    }
+  }
+
   rv = send();
   if(rv != 0) {
     return -1;
   }
 
+  if(!get_config()->downstream_no_tls &&
+     !ssl::check_http2_requirement(ssl_)) {
+
+    return 0;
+  }
+
   // submit pending request
   for(auto dconn : dconns_) {
     if(dconn->push_request_headers() != 0) {