Replace black-list with block-list

nghttpx --no-http2-cipher-black-list and
--client-no-http2-cipher-black-list are deprecated and replaced with
--no-http2-cipher-block-list and --client-no-http2-cipher-block-list
respectively.
This commit is contained in:
Tatsuhiro Tsujikawa 2021-04-02 22:31:15 +09:00
parent 617a5766a2
commit cef458c31c
8 changed files with 71 additions and 37 deletions

View File

@ -445,10 +445,10 @@ nghttpx server accepts any of the identity and secret pairs in the
file. The default cipher suite list does not contain PSK cipher file. The default cipher suite list does not contain PSK cipher
suites. In order to use PSK, PSK cipher suite must be enabled by suites. In order to use PSK, PSK cipher suite must be enabled by
using :option:`--ciphers` option. The desired PSK cipher suite may be using :option:`--ciphers` option. The desired PSK cipher suite may be
listed in `HTTP/2 cipher black list listed in `HTTP/2 cipher block list
<https://tools.ietf.org/html/rfc7540#appendix-A>`_. In order to use <https://tools.ietf.org/html/rfc7540#appendix-A>`_. In order to use
such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by such PSK cipher suite with HTTP/2, disable HTTP/2 cipher block list by
using :option:`--no-http2-cipher-black-list` option. But you should using :option:`--no-http2-cipher-block-list` option. But you should
understand its implications. understand its implications.
At the time of writing, even if only PSK cipher suites are specified At the time of writing, even if only PSK cipher suites are specified
@ -468,10 +468,10 @@ used, like so:
The default cipher suite list does not contain PSK cipher suites. In The default cipher suite list does not contain PSK cipher suites. In
order to use PSK, PSK cipher suite must be enabled by using order to use PSK, PSK cipher suite must be enabled by using
:option:`--client-ciphers` option. The desired PSK cipher suite may :option:`--client-ciphers` option. The desired PSK cipher suite may
be listed in `HTTP/2 cipher black list be listed in `HTTP/2 cipher block list
<https://tools.ietf.org/html/rfc7540#appendix-A>`_. In order to use <https://tools.ietf.org/html/rfc7540#appendix-A>`_. In order to use
such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by such PSK cipher suite with HTTP/2, disable HTTP/2 cipher block list by
using :option:`--client-no-http2-cipher-black-list` option. But you using :option:`--client-no-http2-cipher-block-list` option. But you
should understand its implications. should understand its implications.
TLSv1.3 TLSv1.3
@ -516,10 +516,10 @@ As of nghttpx v1.19.0, :option:`--ciphers` option only changes cipher
list for frontend TLS connection. In order to change cipher list for list for frontend TLS connection. In order to change cipher list for
backend connection, use :option:`--client-ciphers` option. backend connection, use :option:`--client-ciphers` option.
Similarly, :option:`--no-http2-cipher-black-list` option only disables Similarly, :option:`--no-http2-cipher-block-list` option only disables
HTTP/2 cipher black list for frontend connection. In order to disable HTTP/2 cipher block list for frontend connection. In order to disable
HTTP/2 cipher black list for backend connection, use HTTP/2 cipher block list for backend connection, use
:option:`--client-no-http2-cipher-black-list` option. :option:`--client-no-http2-cipher-block-list` option.
``--accept-proxy-protocol`` option was deprecated. Instead, use ``--accept-proxy-protocol`` option was deprecated. Instead, use
``proxyproto`` parameter in :option:`--frontend` option to enable ``proxyproto`` parameter in :option:`--frontend` option to enable

View File

@ -113,6 +113,7 @@ OPTIONS = [
"max-request-header-fields", "max-request-header-fields",
"header-field-buffer", "header-field-buffer",
"max-header-fields", "max-header-fields",
"no-http2-cipher-block-list",
"no-http2-cipher-black-list", "no-http2-cipher-black-list",
"backend-http1-tls", "backend-http1-tls",
"tls-session-cache-memcached-cert-file", "tls-session-cache-memcached-cert-file",
@ -155,6 +156,7 @@ OPTIONS = [
"frontend-keep-alive-timeout", "frontend-keep-alive-timeout",
"psk-secrets", "psk-secrets",
"client-psk-secrets", "client-psk-secrets",
"client-no-http2-cipher-block-list",
"client-no-http2-cipher-black-list", "client-no-http2-cipher-black-list",
"client-ciphers", "client-ciphers",
"accesslog-write-early", "accesslog-write-early",

View File

@ -2388,16 +2388,16 @@ SSL/TLS:
TLS HTTP/2 backends. TLS HTTP/2 backends.
Default: )" Default: )"
<< util::duration_str(config->tls.dyn_rec.idle_timeout) << R"( << util::duration_str(config->tls.dyn_rec.idle_timeout) << R"(
--no-http2-cipher-black-list --no-http2-cipher-block-list
Allow black listed cipher suite on frontend HTTP/2 Allow block listed cipher suite on frontend HTTP/2
connection. See connection. See
https://tools.ietf.org/html/rfc7540#appendix-A for the https://tools.ietf.org/html/rfc7540#appendix-A for the
complete HTTP/2 cipher suites black list. complete HTTP/2 cipher suites block list.
--client-no-http2-cipher-black-list --client-no-http2-cipher-block-list
Allow black listed cipher suite on backend HTTP/2 Allow block listed cipher suite on backend HTTP/2
connection. See connection. See
https://tools.ietf.org/html/rfc7540#appendix-A for the https://tools.ietf.org/html/rfc7540#appendix-A for the
complete HTTP/2 cipher suites black list. complete HTTP/2 cipher suites block list.
--tls-sct-dir=<DIR> --tls-sct-dir=<DIR>
Specifies the directory where *.sct files exist. All Specifies the directory where *.sct files exist. All
*.sct files in <DIR> are read, and sent as *.sct files in <DIR> are read, and sent as
@ -2416,9 +2416,9 @@ SSL/TLS:
are skipped. The default enabled cipher list might not are skipped. The default enabled cipher list might not
contain any PSK cipher suite. In that case, desired PSK contain any PSK cipher suite. In that case, desired PSK
cipher suites must be enabled using --ciphers option. cipher suites must be enabled using --ciphers option.
The desired PSK cipher suite may be black listed by The desired PSK cipher suite may be block listed by
HTTP/2. To use those cipher suites with HTTP/2, HTTP/2. To use those cipher suites with HTTP/2,
consider to use --no-http2-cipher-black-list option. consider to use --no-http2-cipher-block-list option.
But be aware its implications. But be aware its implications.
--client-psk-secrets=<PATH> --client-psk-secrets=<PATH>
Read PSK identity and secrets from <PATH>. This is used Read PSK identity and secrets from <PATH>. This is used
@ -2430,9 +2430,9 @@ SSL/TLS:
The default enabled cipher list might not contain any The default enabled cipher list might not contain any
PSK cipher suite. In that case, desired PSK cipher PSK cipher suite. In that case, desired PSK cipher
suites must be enabled using --client-ciphers option. suites must be enabled using --client-ciphers option.
The desired PSK cipher suite may be black listed by The desired PSK cipher suite may be block listed by
HTTP/2. To use those cipher suites with HTTP/2, HTTP/2. To use those cipher suites with HTTP/2,
consider to use --client-no-http2-cipher-black-list consider to use --client-no-http2-cipher-block-list
option. But be aware its implications. option. But be aware its implications.
--tls-no-postpone-early-data --tls-no-postpone-early-data
By default, nghttpx postpones forwarding HTTP requests By default, nghttpx postpones forwarding HTTP requests
@ -3531,6 +3531,9 @@ int main(int argc, char **argv) {
{SHRPX_OPT_TLS13_CLIENT_CIPHERS.c_str(), required_argument, &flag, 165}, {SHRPX_OPT_TLS13_CLIENT_CIPHERS.c_str(), required_argument, &flag, 165},
{SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA.c_str(), no_argument, &flag, {SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA.c_str(), no_argument, &flag,
166}, 166},
{SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST.c_str(), no_argument, &flag, 167},
{SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST.c_str(), no_argument,
&flag, 168},
{nullptr, 0, nullptr, 0}}; {nullptr, 0, nullptr, 0}};
int option_index = 0; int option_index = 0;
@ -4324,6 +4327,16 @@ int main(int argc, char **argv) {
cmdcfgs.emplace_back(SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA, cmdcfgs.emplace_back(SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA,
StringRef::from_lit("yes")); StringRef::from_lit("yes"));
break; break;
case 167:
// --no-http2-cipher-block-list
cmdcfgs.emplace_back(SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST,
StringRef::from_lit("yes"));
break;
case 168:
// --client-no-http2-cipher-block-list
cmdcfgs.emplace_back(SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST,
StringRef::from_lit("yes"));
break;
default: default:
break; break;
} }

View File

@ -2282,6 +2282,9 @@ int option_lookup_token(const char *name, size_t namelen) {
if (util::strieq_l("no-http2-cipher-black-lis", name, 25)) { if (util::strieq_l("no-http2-cipher-black-lis", name, 25)) {
return SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST; return SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST;
} }
if (util::strieq_l("no-http2-cipher-block-lis", name, 25)) {
return SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST;
}
break; break;
} }
break; break;
@ -2403,6 +2406,9 @@ int option_lookup_token(const char *name, size_t namelen) {
if (util::strieq_l("client-no-http2-cipher-black-lis", name, 32)) { if (util::strieq_l("client-no-http2-cipher-black-lis", name, 32)) {
return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST; return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST;
} }
if (util::strieq_l("client-no-http2-cipher-block-lis", name, 32)) {
return SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST;
}
break; break;
} }
break; break;
@ -3487,8 +3493,11 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return 0; return 0;
} }
case SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST: case SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST:
config->tls.no_http2_cipher_black_list = util::strieq_l("yes", optarg); LOG(WARN) << opt << ": deprecated. Use "
<< SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead.";
// fall through
case SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST:
config->tls.no_http2_cipher_block_list = util::strieq_l("yes", optarg);
return 0; return 0;
case SHRPX_OPTID_BACKEND_HTTP1_TLS: case SHRPX_OPTID_BACKEND_HTTP1_TLS:
case SHRPX_OPTID_BACKEND_TLS: case SHRPX_OPTID_BACKEND_TLS:
@ -3690,7 +3699,11 @@ int parse_config(Config *config, int optid, const StringRef &opt,
return 0; return 0;
#endif // LIBRESSL_LEGACY_API #endif // LIBRESSL_LEGACY_API
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST: case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST:
config->tls.client.no_http2_cipher_black_list = LOG(WARN) << opt << ": deprecated. Use "
<< SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST << " instead.";
// fall through
case SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST:
config->tls.client.no_http2_cipher_block_list =
util::strieq_l("yes", optarg); util::strieq_l("yes", optarg);
return 0; return 0;

View File

@ -244,6 +244,8 @@ constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER =
StringRef::from_lit("response-header-field-buffer"); StringRef::from_lit("response-header-field-buffer");
constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS = constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS =
StringRef::from_lit("max-response-header-fields"); StringRef::from_lit("max-response-header-fields");
constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST =
StringRef::from_lit("no-http2-cipher-block-list");
constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST = constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST =
StringRef::from_lit("no-http2-cipher-black-list"); StringRef::from_lit("no-http2-cipher-black-list");
constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS = constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS =
@ -322,6 +324,8 @@ constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT =
constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets"); constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets");
constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS = constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS =
StringRef::from_lit("client-psk-secrets"); StringRef::from_lit("client-psk-secrets");
constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST =
StringRef::from_lit("client-no-http2-cipher-block-list");
constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST = constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST =
StringRef::from_lit("client-no-http2-cipher-black-list"); StringRef::from_lit("client-no-http2-cipher-black-list");
constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers"); constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers");
@ -652,7 +656,7 @@ struct TLSConfig {
StringRef cert_file; StringRef cert_file;
StringRef ciphers; StringRef ciphers;
StringRef tls13_ciphers; StringRef tls13_ciphers;
bool no_http2_cipher_black_list; bool no_http2_cipher_block_list;
} client; } client;
// PSK secrets. The key is identity, and the associated value is // PSK secrets. The key is identity, and the associated value is
@ -688,7 +692,7 @@ struct TLSConfig {
int min_proto_version; int min_proto_version;
int max_proto_version; int max_proto_version;
bool insecure; bool insecure;
bool no_http2_cipher_black_list; bool no_http2_cipher_block_list;
// true if forwarding requests included in TLS early data should not // true if forwarding requests included in TLS early data should not
// be postponed until TLS handshake finishes. // be postponed until TLS handshake finishes.
bool no_postpone_early_data; bool no_postpone_early_data;
@ -1066,6 +1070,7 @@ enum {
SHRPX_OPTID_CLIENT_CERT_FILE, SHRPX_OPTID_CLIENT_CERT_FILE,
SHRPX_OPTID_CLIENT_CIPHERS, SHRPX_OPTID_CLIENT_CIPHERS,
SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST,
SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
SHRPX_OPTID_CLIENT_PROXY, SHRPX_OPTID_CLIENT_PROXY,
SHRPX_OPTID_CLIENT_PSK_SECRETS, SHRPX_OPTID_CLIENT_PSK_SECRETS,
@ -1121,6 +1126,7 @@ enum {
SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO, SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO,
SHRPX_OPTID_NO_HOST_REWRITE, SHRPX_OPTID_NO_HOST_REWRITE,
SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST, SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST,
SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST,
SHRPX_OPTID_NO_KQUEUE, SHRPX_OPTID_NO_KQUEUE,
SHRPX_OPTID_NO_LOCATION_REWRITE, SHRPX_OPTID_NO_LOCATION_REWRITE,
SHRPX_OPTID_NO_OCSP, SHRPX_OPTID_NO_OCSP,

View File

@ -616,18 +616,18 @@ int Connection::check_http2_requirement() {
return -1; return -1;
} }
auto check_black_list = false; auto check_block_list = false;
if (tls.server_handshake) { if (tls.server_handshake) {
check_black_list = !get_config()->tls.no_http2_cipher_black_list; check_block_list = !get_config()->tls.no_http2_cipher_block_list;
} else { } else {
check_black_list = !get_config()->tls.client.no_http2_cipher_black_list; check_block_list = !get_config()->tls.client.no_http2_cipher_block_list;
} }
if (check_black_list && if (check_block_list &&
nghttp2::tls::check_http2_cipher_black_list(tls.ssl)) { nghttp2::tls::check_http2_cipher_block_list(tls.ssl)) {
if (LOG_ENABLED(INFO)) { if (LOG_ENABLED(INFO)) {
LOG(INFO) << "The negotiated cipher suite is in HTTP/2 cipher suite " LOG(INFO) << "The negotiated cipher suite is in HTTP/2 cipher suite "
"black list. HTTP/2 must not be used."; "block list. HTTP/2 must not be used.";
} }
return -1; return -1;
} }

View File

@ -117,7 +117,7 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl) {
} }
/* Conditional logic w/ lookup tables to check if id is one of the /* Conditional logic w/ lookup tables to check if id is one of the
the black listed cipher suites for HTTP/2 described in RFC 7540. the block listed cipher suites for HTTP/2 described in RFC 7540.
https://github.com/jay/http2_blacklisted_ciphers https://github.com/jay/http2_blacklisted_ciphers
*/ */
#define IS_CIPHER_BANNED_METHOD2(id) \ #define IS_CIPHER_BANNED_METHOD2(id) \
@ -132,7 +132,7 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl) {
[(id & 0xFF) / 8] & \ [(id & 0xFF) / 8] & \
(1 << (id % 8)))) (1 << (id % 8))))
bool check_http2_cipher_black_list(SSL *ssl) { bool check_http2_cipher_block_list(SSL *ssl) {
int id = SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)) & 0xFFFFFF; int id = SSL_CIPHER_get_id(SSL_get_current_cipher(ssl)) & 0xFFFFFF;
return IS_CIPHER_BANNED_METHOD2(id); return IS_CIPHER_BANNED_METHOD2(id);
@ -145,7 +145,7 @@ bool check_http2_tls_version(SSL *ssl) {
} }
bool check_http2_requirement(SSL *ssl) { bool check_http2_requirement(SSL *ssl) {
return check_http2_tls_version(ssl) && !check_http2_cipher_black_list(ssl); return check_http2_tls_version(ssl) && !check_http2_cipher_block_list(ssl);
} }
void libssl_init() { void libssl_init() {

View File

@ -87,14 +87,14 @@ TLSSessionInfo *get_tls_session_info(TLSSessionInfo *tls_info, SSL *ssl);
bool check_http2_tls_version(SSL *ssl); bool check_http2_tls_version(SSL *ssl);
// Returns true iff the negotiated cipher suite is in HTTP/2 cipher // Returns true iff the negotiated cipher suite is in HTTP/2 cipher
// black list. // block list.
bool check_http2_cipher_black_list(SSL *ssl); bool check_http2_cipher_block_list(SSL *ssl);
// Returns true if SSL/TLS requirement for HTTP/2 is fulfilled. // Returns true if SSL/TLS requirement for HTTP/2 is fulfilled.
// To fulfill the requirement, the following 2 terms must be hold: // To fulfill the requirement, the following 2 terms must be hold:
// //
// 1. The negotiated protocol must be TLSv1.2. // 1. The negotiated protocol must be TLSv1.2.
// 2. The negotiated cipher cuite is not listed in the black list // 2. The negotiated cipher cuite is not listed in the block list
// described in RFC 7540. // described in RFC 7540.
bool check_http2_requirement(SSL *ssl); bool check_http2_requirement(SSL *ssl);