nghttpx: Drop HTTP/2 backend connection unless TLSv1.2 or TLSv1.1 was negotiated

src/shrpx_http2_session.cc

@@ -257,12 +257,21 @@ void eventcb(bufferevent *bev, short events, void *ptr)
       SSLOG(INFO, http2session) << "Connection established";
     }
     http2session->set_state(Http2Session::CONNECTED);
-    if((!get_config()->downstream_no_tls &&
-        !get_config()->insecure && http2session->check_cert() != 0) ||
-       http2session->on_connect() != 0) {
+    if(!get_config()->downstream_no_tls) {
+      if(!ssl::check_http2_requirement(http2session->get_ssl()) ||
+         (!get_config()->insecure && http2session->check_cert() != 0)) {
+
+        http2session->disconnect();
+
+        return;
+      }
+    }
+
+    if(http2session->on_connect() != 0) {
       http2session->disconnect();
       return;
     }
+
     int fd = bufferevent_getfd(bev);
     int val = 1;
     if(setsockopt(fd, IPPROTO_TCP, TCP_NODELAY,
@@ -1384,4 +1393,9 @@ size_t Http2Session::get_outbuf_length() const
   }
 }
 
+SSL* Http2Session::get_ssl() const
+{
+  return ssl_;
+}
+
 } // namespace shrpx

src/shrpx_http2_session.h

@@ -106,6 +106,8 @@ public:
 
   size_t get_outbuf_length() const;
 
+  SSL* get_ssl() const;
+
   enum {
     // Disconnected
     DISCONNECTED,