Re: Prague side meeting: HTTP/2 concurrency and request cancellation (CVE-2023-44487)

On Wed, Oct 11, 2023, at 20:42, Willy Tarreau wrote:
> Or maybe something like this could work:
>
>    MAX_CONCURRENT_STREAMS = 100
>    MAX_STREAMS = 100
>    MAX_CONCURRENT_STREAMS = 10
>
> Older clients would learn 100 then 10, possibly dropping excess
> streams, while new clients would learn MAX_STREAMS=100 and from
> that point ignore MAX_CONCURRENT_STREAMS=10.

That's exactly the idea.  You could just start with MAX_CONCURRENT_STREAMS=10 as well, though you should be aware that some clients might choke when this value is less than 100, so your approach is probably the safest.

Received on Wednesday, 11 October 2023 23:32:16 UTC