From 75bfbc94dd9d2a5b8e27668d29bd32e2850fc5c0 Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 26 Apr 2014 22:51:39 +0900
Subject: [PATCH] nghttpx: Require TLSv1.2 or TLSv1.1 for NPN as well

---
 src/shrpx_client_handler.cc | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/shrpx_client_handler.cc b/src/shrpx_client_handler.cc
index 145cc1f8..53787bb2 100644
--- a/src/shrpx_client_handler.cc
+++ b/src/shrpx_client_handler.cc
@@ -385,6 +385,12 @@ int ClientHandler::validate_next_proto()
       if(next_proto_len == NGHTTP2_PROTO_VERSION_ID_LEN &&
          memcmp(NGHTTP2_PROTO_VERSION_ID, next_proto,
                 NGHTTP2_PROTO_VERSION_ID_LEN) == 0) {
+
+        // For NPN, we must check security requirement here.
+        if(!ssl::check_http2_requirement(ssl_)) {
+          return -1;
+        }
+
         set_bev_cb(upstream_http2_connhd_readcb, upstream_writecb,
                    upstream_eventcb);
         upstream_ = util::make_unique<Http2Upstream>(this);