diff options
| author | Tobias Nießen <tniessen@tnie.de> | 2022-08-13 10:25:23 +0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-08-13 10:25:23 +0300 |
| commit | 77def91bf9a2abd6a19514b57e3dc08f3e3f0fc6 (patch) | |
| tree | b2ea2fd8532daf669fce5cd7e82f88fb17d5c093 /doc/api/tls.md | |
| parent | 938212f3e74a74d0b436941aa24e71425ff666c5 (diff) | |
tls,http2: send fatal alert on ALPN mismatch
To comply with RFC 7301, make TLS servers send a fatal alert during the
TLS handshake if both the client and the server are configured to use
ALPN and if the server does not support any of the protocols advertised
by the client.
This affects HTTP/2 servers. Until now, applications could intercept the
'unknownProtocol' event when the client either did not advertise any
protocols or if the list of protocols advertised by the client did not
include HTTP/2 (or HTTP/1.1 if allowHTTP1 was true). With this change,
only the first case can be handled, and the 'unknownProtocol' event will
not be emitted in the second case because the TLS handshake fails and no
secure connection is established.
PR-URL: https://github.com/nodejs/node/pull/44031
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Diffstat (limited to 'doc/api/tls.md')
| -rw-r--r-- | doc/api/tls.md | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/doc/api/tls.md b/doc/api/tls.md index 1d4db99a11b..3477a90faa6 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -683,8 +683,8 @@ is set to describe how authorization failed. Depending on the settings of the TLS server, unauthorized connections may still be accepted. The `tlsSocket.alpnProtocol` property is a string that contains the selected -ALPN protocol. When ALPN has no selected protocol, `tlsSocket.alpnProtocol` -equals `false`. +ALPN protocol. When ALPN has no selected protocol because the client or the +server did not send an ALPN extension, `tlsSocket.alpnProtocol` equals `false`. The `tlsSocket.servername` property is a string containing the server name requested via SNI. @@ -2012,6 +2012,11 @@ where `secureSocket` has the same API as `pair.cleartext`. <!-- YAML added: v0.3.2 changes: + - version: REPLACEME + pr-url: https://github.com/nodejs/node/pull/44031 + description: If `ALPNProtocols` is set, incoming connections that send an + ALPN extension with no supported protocols are terminated with + a fatal `no_application_protocol` alert. - version: v12.3.0 pr-url: https://github.com/nodejs/node/pull/27665 description: The `options` parameter now supports `net.createServer()` |