Replace black-list with block-list

nghttpx --no-http2-cipher-black-list and
--client-no-http2-cipher-black-list are deprecated and replaced with
--no-http2-cipher-block-list and --client-no-http2-cipher-block-list
respectively.

doc/sources/nghttpx-howto.rst

@@ -445,10 +445,10 @@ nghttpx server accepts any of the identity and secret pairs in the
 file.  The default cipher suite list does not contain PSK cipher
 suites.  In order to use PSK, PSK cipher suite must be enabled by
 using :option:`--ciphers` option.  The desired PSK cipher suite may be
-listed in `HTTP/2 cipher black list
+listed in `HTTP/2 cipher block list
 <https://tools.ietf.org/html/rfc7540#appendix-A>`_.  In order to use
-such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by
+such PSK cipher suite with HTTP/2, disable HTTP/2 cipher block list by
-using :option:`--no-http2-cipher-black-list` option.  But you should
+using :option:`--no-http2-cipher-block-list` option.  But you should
 understand its implications.
 
 At the time of writing, even if only PSK cipher suites are specified
@@ -468,10 +468,10 @@ used, like so:
 The default cipher suite list does not contain PSK cipher suites.  In
 order to use PSK, PSK cipher suite must be enabled by using
 :option:`--client-ciphers` option.  The desired PSK cipher suite may
-be listed in `HTTP/2 cipher black list
+be listed in `HTTP/2 cipher block list
 <https://tools.ietf.org/html/rfc7540#appendix-A>`_.  In order to use
-such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by
+such PSK cipher suite with HTTP/2, disable HTTP/2 cipher block list by
-using :option:`--client-no-http2-cipher-black-list` option.  But you
+using :option:`--client-no-http2-cipher-block-list` option.  But you
 should understand its implications.
 
 TLSv1.3
@@ -516,10 +516,10 @@ As of nghttpx v1.19.0, :option:`--ciphers` option only changes cipher
 list for frontend TLS connection.  In order to change cipher list for
 backend connection, use :option:`--client-ciphers` option.
 
-Similarly, :option:`--no-http2-cipher-black-list` option only disables
+Similarly, :option:`--no-http2-cipher-block-list` option only disables
-HTTP/2 cipher black list for frontend connection.  In order to disable
+HTTP/2 cipher block list for frontend connection.  In order to disable
-HTTP/2 cipher black list for backend connection, use
+HTTP/2 cipher block list for backend connection, use
-:option:`--client-no-http2-cipher-black-list` option.
+:option:`--client-no-http2-cipher-block-list` option.
 
 ``--accept-proxy-protocol`` option was deprecated.  Instead, use
 ``proxyproto`` parameter in :option:`--frontend` option to enable

gennghttpxfun.py

@@ -113,6 +113,7 @@ OPTIONS = [
     "max-request-header-fields",
     "header-field-buffer",
     "max-header-fields",
+    "no-http2-cipher-block-list",
     "no-http2-cipher-black-list",
     "backend-http1-tls",
     "tls-session-cache-memcached-cert-file",
@@ -155,6 +156,7 @@ OPTIONS = [
     "frontend-keep-alive-timeout",
     "psk-secrets",
     "client-psk-secrets",
+    "client-no-http2-cipher-block-list",
     "client-no-http2-cipher-black-list",
     "client-ciphers",
     "accesslog-write-early",

src/shrpx.cc

@@ -2388,16 +2388,16 @@ SSL/TLS:
               TLS HTTP/2 backends.
               Default: )"
       << util::duration_str(config->tls.dyn_rec.idle_timeout) << R"(
-  --no-http2-cipher-black-list
+  --no-http2-cipher-block-list
-              Allow  black  listed  cipher suite  on  frontend  HTTP/2
+              Allow  block  listed  cipher suite  on  frontend  HTTP/2
               connection.                                          See
               https://tools.ietf.org/html/rfc7540#appendix-A  for  the
-              complete HTTP/2 cipher suites black list.
+              complete HTTP/2 cipher suites block list.
-  --client-no-http2-cipher-black-list
+  --client-no-http2-cipher-block-list
-              Allow  black  listed  cipher  suite  on  backend  HTTP/2
+              Allow  block  listed  cipher  suite  on  backend  HTTP/2
               connection.                                          See
               https://tools.ietf.org/html/rfc7540#appendix-A  for  the
-              complete HTTP/2 cipher suites black list.
+              complete HTTP/2 cipher suites block list.
   --tls-sct-dir=<DIR>
               Specifies the  directory where  *.sct files  exist.  All
               *.sct   files   in  <DIR>   are   read,   and  sent   as
@@ -2416,9 +2416,9 @@ SSL/TLS:
               are skipped.  The default  enabled cipher list might not
               contain any PSK cipher suite.  In that case, desired PSK
               cipher suites  must be  enabled using  --ciphers option.
-              The  desired PSK  cipher suite  may be  black listed  by
+              The  desired PSK  cipher suite  may be  block listed  by
               HTTP/2.   To  use  those   cipher  suites  with  HTTP/2,
-              consider  to  use  --no-http2-cipher-black-list  option.
+              consider  to  use  --no-http2-cipher-block-list  option.
               But be aware its implications.
   --client-psk-secrets=<PATH>
               Read PSK identity and secrets from <PATH>.  This is used
@@ -2430,9 +2430,9 @@ SSL/TLS:
               The default  enabled cipher  list might not  contain any
               PSK  cipher suite.   In  that case,  desired PSK  cipher
               suites  must be  enabled using  --client-ciphers option.
-              The  desired PSK  cipher suite  may be  black listed  by
+              The  desired PSK  cipher suite  may be  block listed  by
               HTTP/2.   To  use  those   cipher  suites  with  HTTP/2,
-              consider   to  use   --client-no-http2-cipher-black-list
+              consider   to  use   --client-no-http2-cipher-block-list
               option.  But be aware its implications.
   --tls-no-postpone-early-data
               By default,  nghttpx postpones forwarding  HTTP requests
@@ -3531,6 +3531,9 @@ int main(int argc, char **argv) {
         {SHRPX_OPT_TLS13_CLIENT_CIPHERS.c_str(), required_argument, &flag, 165},
         {SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA.c_str(), no_argument, &flag,
          166},
+        {SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST.c_str(), no_argument, &flag, 167},
+        {SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST.c_str(), no_argument,
+         &flag, 168},
         {nullptr, 0, nullptr, 0}};
 
     int option_index = 0;
@@ -4324,6 +4327,16 @@ int main(int argc, char **argv) {
         cmdcfgs.emplace_back(SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA,
                              StringRef::from_lit("yes"));
         break;
+      case 167:
+        // --no-http2-cipher-block-list
+        cmdcfgs.emplace_back(SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST,
+                             StringRef::from_lit("yes"));
+        break;
+      case 168:
+        // --client-no-http2-cipher-block-list
+        cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST,
+                             StringRef::from_lit("yes"));
+        break;
       default:
         break;
       }

src/shrpx_config.cc

@@ -2282,6 +2282,9 @@ int option_lookup_token(const char *name, size_t namelen) {
       if (util::strieq_l("no-http2-cipher-black-lis", name, 25)) {
         return SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST;
       }
+      if (util::strieq_l("no-http2-cipher-block-lis", name, 25)) {
+        return SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST;
+      }
       break;
     }
     break;
@@ -2403,6 +2406,9 @@ int option_lookup_token(const char *name, size_t namelen) {
       if (util::strieq_l("client-no-http2-cipher-black-lis", name, 32)) {
         return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST;
       }
+      if (util::strieq_l("client-no-http2-cipher-block-lis", name, 32)) {
+        return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST;
+      }
       break;
     }
     break;
@@ -3487,8 +3493,11 @@ int parse_config(Config *config, int optid, const StringRef &opt,
     return 0;
   }
   case SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST:
-    config->tls.no_http2_cipher_black_list = util::strieq_l("yes", optarg);
+    LOG(WARN) << opt << ": deprecated.  Use "
-
+              << SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead.";
+    // fall through
+  case SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST:
+    config->tls.no_http2_cipher_block_list = util::strieq_l("yes", optarg);
     return 0;
   case SHRPX_OPTID_BACKEND_HTTP1_TLS:
   case SHRPX_OPTID_BACKEND_TLS:
@@ -3690,7 +3699,11 @@ int parse_config(Config *config, int optid, const StringRef &opt,
     return 0;
 #endif // LIBRESSL_LEGACY_API
   case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
-    config->tls.client.no_http2_cipher_black_list =
+    LOG(WARN) << opt << ": deprecated.  Use "
+              << SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead.";
+    // fall through
+  case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST:
+    config->tls.client.no_http2_cipher_block_list =
         util::strieq_l("yes", optarg);
 
     return 0;

src/shrpx_config.h

@@ -244,6 +244,8 @@ constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER =
     StringRef::from_lit("response-header-field-buffer");
 constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS =
     StringRef::from_lit("max-response-header-fields");
+constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST =
+    StringRef::from_lit("no-http2-cipher-block-list");
 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST =
     StringRef::from_lit("no-http2-cipher-black-list");
 constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS =
@@ -322,6 +324,8 @@ constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT =
 constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets");
 constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS =
     StringRef::from_lit("client-psk-secrets");
+constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST =
+    StringRef::from_lit("client-no-http2-cipher-block-list");
 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST =
     StringRef::from_lit("client-no-http2-cipher-black-list");
 constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers");
@@ -652,7 +656,7 @@ struct TLSConfig {
     StringRef cert_file;
     StringRef ciphers;
     StringRef tls13_ciphers;
-    bool no_http2_cipher_black_list;
+    bool no_http2_cipher_block_list;
   } client;
 
   // PSK secrets.  The key is identity, and the associated value is
@@ -688,7 +692,7 @@ struct TLSConfig {
   int min_proto_version;
   int max_proto_version;
   bool insecure;
-  bool no_http2_cipher_black_list;
+  bool no_http2_cipher_block_list;
   // true if forwarding requests included in TLS early data should not
   // be postponed until TLS handshake finishes.
   bool no_postpone_early_data;
@@ -1066,6 +1070,7 @@ enum {
   SHRPX_OPTID_CLIENT_CERT_FILE,
   SHRPX_OPTID_CLIENT_CIPHERS,
   SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
+  SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST,
   SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
   SHRPX_OPTID_CLIENT_PROXY,
   SHRPX_OPTID_CLIENT_PSK_SECRETS,
@@ -1121,6 +1126,7 @@ enum {
   SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO,
   SHRPX_OPTID_NO_HOST_REWRITE,
   SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST,
+  SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST,
   SHRPX_OPTID_NO_KQUEUE,
   SHRPX_OPTID_NO_LOCATION_REWRITE,
   SHRPX_OPTID_NO_OCSP,

src/shrpx_connection.cc

@@ -616,18 +616,18 @@ int Connection::check_http2_requirement() {
     return -1;
   }
 
-  auto check_black_list = false;
+  auto check_block_list = false;
   if (tls.server_handshake) {
-    check_black_list = !get_config()->tls.no_http2_cipher_black_list;
+    check_block_list = !get_config()->tls.no_http2_cipher_block_list;
   } else {
-    check_black_list = !get_config()->tls.client.no_http2_cipher_black_list;
+    check_block_list = !get_config()->tls.client.no_http2_cipher_block_list;
   }
 
-  if (check_black_list &&
+  if (check_block_list &&
-      nghttp2::tls::check_http2_cipher_black_list(tls.ssl)) {
+      nghttp2::tls::check_http2_cipher_block_list(tls.ssl)) {
     if (LOG_ENABLED(INFO)) {
       LOG(INFO) << "The negotiated cipher suite is in HTTP/2 cipher suite "
-                   "black list.  HTTP/2 must not be used.";
+                   "block list.  HTTP/2 must not be used.";
     }
     return -1;
   }

src/tls.cc

@@ -117,7 +117,7 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl) {
 }
 
 /* Conditional logic w/ lookup tables to check if id is one of the
-   the black listed cipher suites for HTTP/2 described in RFC 7540.
+   the block listed cipher suites for HTTP/2 described in RFC 7540.
    https://github.com/jay/http2_blacklisted_ciphers
 */
 #define IS_CIPHER_BANNED_METHOD2(id)                                           \
@@ -132,7 +132,7 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl) {
             [(id & 0xFF) / 8] &                                                \
         (1 << (id % 8))))
 
-bool check_http2_cipher_black_list(SSL *ssl) {
+bool check_http2_cipher_block_list(SSL *ssl) {
   int id = SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)) & 0xFFFFFF;
 
   return IS_CIPHER_BANNED_METHOD2(id);
@@ -145,7 +145,7 @@ bool check_http2_tls_version(SSL *ssl) {
 }
 
 bool check_http2_requirement(SSL *ssl) {
-  return check_http2_tls_version(ssl) && !check_http2_cipher_black_list(ssl);
+  return check_http2_tls_version(ssl) && !check_http2_cipher_block_list(ssl);
 }
 
 void libssl_init() {

src/tls.h

@@ -87,14 +87,14 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl);
 bool check_http2_tls_version(SSL *ssl);
 
 // Returns true iff the negotiated cipher suite is in HTTP/2 cipher
-// black list.
+// block list.
-bool check_http2_cipher_black_list(SSL *ssl);
+bool check_http2_cipher_block_list(SSL *ssl);
 
 // Returns true if SSL/TLS requirement for HTTP/2 is fulfilled.
 // To fulfill the requirement, the following 2 terms must be hold:
 //
 // 1. The negotiated protocol must be TLSv1.2.
-// 2. The negotiated cipher cuite is not listed in the black list
+// 2. The negotiated cipher cuite is not listed in the block list
 //    described in RFC 7540.
 bool check_http2_requirement(SSL *ssl);