From a82b7f09c8e88a19c79575c53ad1b21d20ea312a Mon Sep 17 00:00:00 2001
From: Tatsuhiro Tsujikawa <tatsuhiro.t@gmail.com>
Date: Sat, 26 Apr 2014 23:00:58 +0900
Subject: [PATCH] nghttpx: Drop HTTP/2 backend connection unless TLSv1.2 or
 TLSv1.1 was negotiated

---
 src/shrpx_http2_session.cc | 20 +++++++++++++++++---
 src/shrpx_http2_session.h  |  2 ++
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/src/shrpx_http2_session.cc b/src/shrpx_http2_session.cc
index 216a1aef..599049bc 100644
--- a/src/shrpx_http2_session.cc
+++ b/src/shrpx_http2_session.cc
@@ -257,12 +257,21 @@ void eventcb(bufferevent *bev, short events, void *ptr)
       SSLOG(INFO, http2session) << "Connection established";
     }
     http2session->set_state(Http2Session::CONNECTED);
-    if((!get_config()->downstream_no_tls &&
-        !get_config()->insecure && http2session->check_cert() != 0) ||
-       http2session->on_connect() != 0) {
+    if(!get_config()->downstream_no_tls) {
+      if(!ssl::check_http2_requirement(http2session->get_ssl()) ||
+         (!get_config()->insecure && http2session->check_cert() != 0)) {
+
+        http2session->disconnect();
+
+        return;
+      }
+    }
+
+    if(http2session->on_connect() != 0) {
       http2session->disconnect();
       return;
     }
+
     int fd = bufferevent_getfd(bev);
     int val = 1;
     if(setsockopt(fd, IPPROTO_TCP, TCP_NODELAY,
@@ -1384,4 +1393,9 @@ size_t Http2Session::get_outbuf_length() const
   }
 }
 
+SSL* Http2Session::get_ssl() const
+{
+  return ssl_;
+}
+
 } // namespace shrpx
diff --git a/src/shrpx_http2_session.h b/src/shrpx_http2_session.h
index 6b1a9876..85b9e697 100644
--- a/src/shrpx_http2_session.h
+++ b/src/shrpx_http2_session.h
@@ -106,6 +106,8 @@ public:
 
   size_t get_outbuf_length() const;
 
+  SSL* get_ssl() const;
+
   enum {
     // Disconnected
     DISCONNECTED,