From cef458c31ce0c16fe7b1df6d971b75ed1df70505 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Fri, 2 Apr 2021 22:31:15 +0900 Subject: [PATCH] Replace black-list with block-list nghttpx --no-http2-cipher-black-list and --client-no-http2-cipher-black-list are deprecated and replaced with --no-http2-cipher-block-list and --client-no-http2-cipher-block-list respectively. --- doc/sources/nghttpx-howto.rst | 20 ++++++++++---------- gennghttpxfun.py | 2 ++ src/shrpx.cc | 33 +++++++++++++++++++++++---------- src/shrpx_config.cc | 19 ++++++++++++++++--- src/shrpx_config.h | 10 ++++++++-- src/shrpx_connection.cc | 12 ++++++------ src/tls.cc | 6 +++--- src/tls.h | 6 +++--- 8 files changed, 71 insertions(+), 37 deletions(-) diff --git a/doc/sources/nghttpx-howto.rst b/doc/sources/nghttpx-howto.rst index 4e42485e..efde42b9 100644 --- a/doc/sources/nghttpx-howto.rst +++ b/doc/sources/nghttpx-howto.rst @@ -445,10 +445,10 @@ nghttpx server accepts any of the identity and secret pairs in the file. The default cipher suite list does not contain PSK cipher suites. In order to use PSK, PSK cipher suite must be enabled by using :option:`--ciphers` option. The desired PSK cipher suite may be -listed in `HTTP/2 cipher black list +listed in `HTTP/2 cipher block list `_. In order to use -such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by -using :option:`--no-http2-cipher-black-list` option. But you should +such PSK cipher suite with HTTP/2, disable HTTP/2 cipher block list by +using :option:`--no-http2-cipher-block-list` option. But you should understand its implications. At the time of writing, even if only PSK cipher suites are specified @@ -468,10 +468,10 @@ used, like so: The default cipher suite list does not contain PSK cipher suites. In order to use PSK, PSK cipher suite must be enabled by using :option:`--client-ciphers` option. The desired PSK cipher suite may -be listed in `HTTP/2 cipher black list +be listed in `HTTP/2 cipher block list `_. In order to use -such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by -using :option:`--client-no-http2-cipher-black-list` option. But you +such PSK cipher suite with HTTP/2, disable HTTP/2 cipher block list by +using :option:`--client-no-http2-cipher-block-list` option. But you should understand its implications. TLSv1.3 @@ -516,10 +516,10 @@ As of nghttpx v1.19.0, :option:`--ciphers` option only changes cipher list for frontend TLS connection. In order to change cipher list for backend connection, use :option:`--client-ciphers` option. -Similarly, :option:`--no-http2-cipher-black-list` option only disables -HTTP/2 cipher black list for frontend connection. In order to disable -HTTP/2 cipher black list for backend connection, use -:option:`--client-no-http2-cipher-black-list` option. +Similarly, :option:`--no-http2-cipher-block-list` option only disables +HTTP/2 cipher block list for frontend connection. In order to disable +HTTP/2 cipher block list for backend connection, use +:option:`--client-no-http2-cipher-block-list` option. ``--accept-proxy-protocol`` option was deprecated. Instead, use ``proxyproto`` parameter in :option:`--frontend` option to enable diff --git a/gennghttpxfun.py b/gennghttpxfun.py index f119a079..329df86c 100755 --- a/gennghttpxfun.py +++ b/gennghttpxfun.py @@ -113,6 +113,7 @@ OPTIONS = [ "max-request-header-fields", "header-field-buffer", "max-header-fields", + "no-http2-cipher-block-list", "no-http2-cipher-black-list", "backend-http1-tls", "tls-session-cache-memcached-cert-file", @@ -155,6 +156,7 @@ OPTIONS = [ "frontend-keep-alive-timeout", "psk-secrets", "client-psk-secrets", + "client-no-http2-cipher-block-list", "client-no-http2-cipher-black-list", "client-ciphers", "accesslog-write-early", diff --git a/src/shrpx.cc b/src/shrpx.cc index 0664612d..24f64262 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -2388,16 +2388,16 @@ SSL/TLS: TLS HTTP/2 backends. Default: )" << util::duration_str(config->tls.dyn_rec.idle_timeout) << R"( - --no-http2-cipher-black-list - Allow black listed cipher suite on frontend HTTP/2 + --no-http2-cipher-block-list + Allow block listed cipher suite on frontend HTTP/2 connection. See https://tools.ietf.org/html/rfc7540#appendix-A for the - complete HTTP/2 cipher suites black list. - --client-no-http2-cipher-black-list - Allow black listed cipher suite on backend HTTP/2 + complete HTTP/2 cipher suites block list. + --client-no-http2-cipher-block-list + Allow block listed cipher suite on backend HTTP/2 connection. See https://tools.ietf.org/html/rfc7540#appendix-A for the - complete HTTP/2 cipher suites black list. + complete HTTP/2 cipher suites block list. --tls-sct-dir= Specifies the directory where *.sct files exist. All *.sct files in are read, and sent as @@ -2416,9 +2416,9 @@ SSL/TLS: are skipped. The default enabled cipher list might not contain any PSK cipher suite. In that case, desired PSK cipher suites must be enabled using --ciphers option. - The desired PSK cipher suite may be black listed by + The desired PSK cipher suite may be block listed by HTTP/2. To use those cipher suites with HTTP/2, - consider to use --no-http2-cipher-black-list option. + consider to use --no-http2-cipher-block-list option. But be aware its implications. --client-psk-secrets= Read PSK identity and secrets from . This is used @@ -2430,9 +2430,9 @@ SSL/TLS: The default enabled cipher list might not contain any PSK cipher suite. In that case, desired PSK cipher suites must be enabled using --client-ciphers option. - The desired PSK cipher suite may be black listed by + The desired PSK cipher suite may be block listed by HTTP/2. To use those cipher suites with HTTP/2, - consider to use --client-no-http2-cipher-black-list + consider to use --client-no-http2-cipher-block-list option. But be aware its implications. --tls-no-postpone-early-data By default, nghttpx postpones forwarding HTTP requests @@ -3531,6 +3531,9 @@ int main(int argc, char **argv) { {SHRPX_OPT_TLS13_CLIENT_CIPHERS.c_str(), required_argument, &flag, 165}, {SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA.c_str(), no_argument, &flag, 166}, + {SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST.c_str(), no_argument, &flag, 167}, + {SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST.c_str(), no_argument, + &flag, 168}, {nullptr, 0, nullptr, 0}}; int option_index = 0; @@ -4324,6 +4327,16 @@ int main(int argc, char **argv) { cmdcfgs.emplace_back(SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA, StringRef::from_lit("yes")); break; + case 167: + // --no-http2-cipher-block-list + cmdcfgs.emplace_back(SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST, + StringRef::from_lit("yes")); + break; + case 168: + // --client-no-http2-cipher-block-list + cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST, + StringRef::from_lit("yes")); + break; default: break; } diff --git a/src/shrpx_config.cc b/src/shrpx_config.cc index 6a097d43..41043843 100644 --- a/src/shrpx_config.cc +++ b/src/shrpx_config.cc @@ -2282,6 +2282,9 @@ int option_lookup_token(const char *name, size_t namelen) { if (util::strieq_l("no-http2-cipher-black-lis", name, 25)) { return SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST; } + if (util::strieq_l("no-http2-cipher-block-lis", name, 25)) { + return SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST; + } break; } break; @@ -2403,6 +2406,9 @@ int option_lookup_token(const char *name, size_t namelen) { if (util::strieq_l("client-no-http2-cipher-black-lis", name, 32)) { return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST; } + if (util::strieq_l("client-no-http2-cipher-block-lis", name, 32)) { + return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST; + } break; } break; @@ -3487,8 +3493,11 @@ int parse_config(Config *config, int optid, const StringRef &opt, return 0; } case SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST: - config->tls.no_http2_cipher_black_list = util::strieq_l("yes", optarg); - + LOG(WARN) << opt << ": deprecated. Use " + << SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead."; + // fall through + case SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST: + config->tls.no_http2_cipher_block_list = util::strieq_l("yes", optarg); return 0; case SHRPX_OPTID_BACKEND_HTTP1_TLS: case SHRPX_OPTID_BACKEND_TLS: @@ -3690,7 +3699,11 @@ int parse_config(Config *config, int optid, const StringRef &opt, return 0; #endif // LIBRESSL_LEGACY_API case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST: - config->tls.client.no_http2_cipher_black_list = + LOG(WARN) << opt << ": deprecated. Use " + << SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead."; + // fall through + case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST: + config->tls.client.no_http2_cipher_block_list = util::strieq_l("yes", optarg); return 0; diff --git a/src/shrpx_config.h b/src/shrpx_config.h index ccc6b4a9..c9de44d5 100644 --- a/src/shrpx_config.h +++ b/src/shrpx_config.h @@ -244,6 +244,8 @@ constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER = StringRef::from_lit("response-header-field-buffer"); constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS = StringRef::from_lit("max-response-header-fields"); +constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST = + StringRef::from_lit("no-http2-cipher-block-list"); constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST = StringRef::from_lit("no-http2-cipher-black-list"); constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS = @@ -322,6 +324,8 @@ constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT = constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets"); constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS = StringRef::from_lit("client-psk-secrets"); +constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST = + StringRef::from_lit("client-no-http2-cipher-block-list"); constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST = StringRef::from_lit("client-no-http2-cipher-black-list"); constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers"); @@ -652,7 +656,7 @@ struct TLSConfig { StringRef cert_file; StringRef ciphers; StringRef tls13_ciphers; - bool no_http2_cipher_black_list; + bool no_http2_cipher_block_list; } client; // PSK secrets. The key is identity, and the associated value is @@ -688,7 +692,7 @@ struct TLSConfig { int min_proto_version; int max_proto_version; bool insecure; - bool no_http2_cipher_black_list; + bool no_http2_cipher_block_list; // true if forwarding requests included in TLS early data should not // be postponed until TLS handshake finishes. bool no_postpone_early_data; @@ -1066,6 +1070,7 @@ enum { SHRPX_OPTID_CLIENT_CERT_FILE, SHRPX_OPTID_CLIENT_CIPHERS, SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, + SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST, SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, SHRPX_OPTID_CLIENT_PROXY, SHRPX_OPTID_CLIENT_PSK_SECRETS, @@ -1121,6 +1126,7 @@ enum { SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO, SHRPX_OPTID_NO_HOST_REWRITE, SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST, + SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST, SHRPX_OPTID_NO_KQUEUE, SHRPX_OPTID_NO_LOCATION_REWRITE, SHRPX_OPTID_NO_OCSP, diff --git a/src/shrpx_connection.cc b/src/shrpx_connection.cc index 1937f45c..ec94b07c 100644 --- a/src/shrpx_connection.cc +++ b/src/shrpx_connection.cc @@ -616,18 +616,18 @@ int Connection::check_http2_requirement() { return -1; } - auto check_black_list = false; + auto check_block_list = false; if (tls.server_handshake) { - check_black_list = !get_config()->tls.no_http2_cipher_black_list; + check_block_list = !get_config()->tls.no_http2_cipher_block_list; } else { - check_black_list = !get_config()->tls.client.no_http2_cipher_black_list; + check_block_list = !get_config()->tls.client.no_http2_cipher_block_list; } - if (check_black_list && - nghttp2::tls::check_http2_cipher_black_list(tls.ssl)) { + if (check_block_list && + nghttp2::tls::check_http2_cipher_block_list(tls.ssl)) { if (LOG_ENABLED(INFO)) { LOG(INFO) << "The negotiated cipher suite is in HTTP/2 cipher suite " - "black list. HTTP/2 must not be used."; + "block list. HTTP/2 must not be used."; } return -1; } diff --git a/src/tls.cc b/src/tls.cc index 6920fe40..a5b0975c 100644 --- a/src/tls.cc +++ b/src/tls.cc @@ -117,7 +117,7 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl) { } /* Conditional logic w/ lookup tables to check if id is one of the - the black listed cipher suites for HTTP/2 described in RFC 7540. + the block listed cipher suites for HTTP/2 described in RFC 7540. https://github.com/jay/http2_blacklisted_ciphers */ #define IS_CIPHER_BANNED_METHOD2(id) \ @@ -132,7 +132,7 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl) { [(id & 0xFF) / 8] & \ (1 << (id % 8)))) -bool check_http2_cipher_black_list(SSL *ssl) { +bool check_http2_cipher_block_list(SSL *ssl) { int id = SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)) & 0xFFFFFF; return IS_CIPHER_BANNED_METHOD2(id); @@ -145,7 +145,7 @@ bool check_http2_tls_version(SSL *ssl) { } bool check_http2_requirement(SSL *ssl) { - return check_http2_tls_version(ssl) && !check_http2_cipher_black_list(ssl); + return check_http2_tls_version(ssl) && !check_http2_cipher_block_list(ssl); } void libssl_init() { diff --git a/src/tls.h b/src/tls.h index d6c10db6..ee8a5d7f 100644 --- a/src/tls.h +++ b/src/tls.h @@ -87,14 +87,14 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl); bool check_http2_tls_version(SSL *ssl); // Returns true iff the negotiated cipher suite is in HTTP/2 cipher -// black list. -bool check_http2_cipher_black_list(SSL *ssl); +// block list. +bool check_http2_cipher_block_list(SSL *ssl); // Returns true if SSL/TLS requirement for HTTP/2 is fulfilled. // To fulfill the requirement, the following 2 terms must be hold: // // 1. The negotiated protocol must be TLSv1.2. -// 2. The negotiated cipher cuite is not listed in the black list +// 2. The negotiated cipher cuite is not listed in the block list // described in RFC 7540. bool check_http2_requirement(SSL *ssl);