Re: Is the response header "Upgrade: h2" allowed when TLS is used?

> Am 19.04.2016 um 17:29 schrieb Cory Benfield <cory@lukasa.co.uk>:
> 
> 
>> On 19 Apr 2016, at 16:16, Lucas Pardue <Lucas.Pardue@bbc.co.uk> wrote:
>> 
>> Stefan and Daniel point out that the server uses the Upgrade header to "advertise support" for h2. RFC 7230 Section 6.7 [5] states that the server MAY send the Upgrade header. It seems to me like Apache is technically compliant. On an https connection this information shouldn't be used to perform an HTTP upgrade to h2, since that is invalid (but a client issue not a server one). On an http connection the info could be used by the client e.g. they decide to negotiate an h2 session using ALPN.
> 
> I don’t think that’s really a good way to read this section of RFC 7230. The first sentence in this section is 'The "Upgrade" header field is intended to provide a simple mechanism for transitioning from HTTP/1.1 to some other protocol on the same connection.’. Note that phrase “on the same connection”. I’d argue, based on that, that the server-sent Upgrade header should only list protocols that the server is willing to upgrade to *on that connection*.

The mechanism is there and could be use. I do not know of a client which can though...

And rfc 7540, ch. 3.2 says: "A server MUST ignore an "h2" token in an Upgrade header field. Presence of a token with "h2" implies HTTP/2 over TLS, which is instead negotiated as described in Section 3.3."

Reading that, a server can never support this. So, we are in violation...rebels almost...

> If Apache is willing to do the HTTP/2 upgrade dance from a TLS’d HTTP1.1 connection, I’d say that this argument makes sense. Otherwise, I don’t think it does: the client needs to use a new connection, which means the Upgrade header isn’t appropriate. This use-case is satisfied by RFC 7838’s HTTP Alternative Services: Apache should use that header instead, rather than this Upgrade header.
> 
> For what it’s worth, as far as I can see RFC 7540 doesn’t *forbid* doing the Upgrade dance on a TLS’d HTTP/1.1 connection: it just says nothing about it. There’s no normative language in RFC 7540 that says that we MUST use ALPN for “https” URLs, it only says that clients *do* that. I’d say that you can read that as saying that a client MUST implement *at least* support for that, but may also implement support for alternative negotiation means (e.g. HTTP Upgrade).
> 
> Cory

Received on Tuesday, 19 April 2016 16:06:15 UTC