RE: Is the response header "Upgrade: h2" allowed when TLS is used? from Lucas Pardue on 2016-04-19 (ietf-http-wg@w3.org from April to June 2016)

From: Lucas Pardue <Lucas.Pardue@bbc.co.uk>
Date: Tue, 19 Apr 2016 15:16:15 +0000
To: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
Message-ID: <7CF7F94CB496BF4FAB1676F375F9666A2A7CBD72@bgb01xud1012>

Hi,

Michael Kaufmann wrote:
> I have a question regarding the "Upgrade" header. The HTTP/2 specification
> says:
> > A server MUST ignore an "h2" token in an Upgrade header field.
> > Presence of a token with "h2" implies HTTP/2 over TLS, which is
> > instead negotiated as described in Section 3.3.
>
> Does this imply that a server must not (or should not) send an
> "Upgrade: h2" response header to clients?
>
> This question is important for Apache httpd, because version 2.4.20 sends
> such an "Upgrade: h2" response header to clients that speak HTTP/1.x. Other
> HTTP/2 server software does not (e.g. nginx, Google's and Twitter's web
> servers).
>
> Related Apache httpd issue:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=59311

There seems to be some back story here that is not immediately exposed, I found it interesting to read through but to save others some effort take a look at [1], [2] and [3]. This seems to be a bug with how NodeJS (as a client) handles the Upgrade header, which has been fixed but may not be backported to older versions[4].

Stefan and Daniel point out that the server uses the Upgrade header to "advertise support" for h2. RFC 7230 Section 6.7 [5] states that the server MAY send the Upgrade header. It seems to me like Apache is technically compliant. On an https connection this information shouldn't be used to perform an HTTP upgrade to h2, since that is invalid (but a client issue not a server one). On an http connection the info could be used by the client e.g. they decide to negotiate an h2 session using ALPN.

Lucas

[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58971

[2] https://github.com/icing/mod_h2/issues/73

[3] https://github.com/nodejs/node/issues/4334

[4] https://github.com/nodejs/node/pull/4337

[5] http://tools.ietf.org/html/rfc7230#section-6.7

-----------------------------
http://www.bbc.co.uk

This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------

Received on Tuesday, 19 April 2016 15:16:41 UTC