search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
123.59k stars 17.61k forks source link

net/http: logic error in http2ConfigureServer? #28929

Open pxing-china opened 5 years ago

pxing-china commented 5 years ago

Reported against tip, 649b89377e91ad6dbe710784f9e662082d31a1ff

https://github.com/golang/go/blob/649b89377e91ad6dbe710784f9e662082d31a1ff/src/net/http/h2_bundle.go#L4021

the logic of this line is error(ValidCipher, BadCipher,BadCipher will go through), it should be 

if http2isBadCipher(cs) {
    sawBad = true
} 
if sawBad {
    return fmt.Errorf("http2: TLSConfig.CipherSuites index %d contains an HTTP/2-approved cipher suite (%#04x), but it comes after unapproved cipher suites. With this configuration, clients that don't support previous, approved cipher suites may be given an unapproved one and reject the connection.", i, cs)
}
myitcv commented 5 years ago

cc @bradfitz

fraenkel commented 5 years ago

@pxing-china I think you misunderstood the check. It wants to prevent BadCipher, ValidCipher. Given this order, the bad cipher will cause the connection to be rejected before trying the valid cipher. BadCiphers after ValidCiphers are fine because at least you tried all the valid ones first.