1439105 - http2 reject client cert post handshake

Status: RESOLVED FIXED

(Core :: Networking: HTTP, enhancement, P1)

Description

[Patrick McManus [:mcmanus]]

7540 bans client certs after sending the h2 preamble by placing a requirement on the server to reject them if they arrive.

Technically there is nothing for us to do but we've got another patch that strongly assumes this property holds, so we should take a patch like the one I'm proposing that will refuse to send a client cert after that time.

Comment 1

[Patrick McManus [:mcmanus]]

Attachment: Bug 1439105 - Ban H2 Client Certs Post Handshake

Review commit: https://reviewboard.mozilla.org/r/221154/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/221154/

Comment 2

[Daniel Stenberg [:bagder]]

Comment on attachment 8951862 [details]
Bug 1439105 - Ban H2 Client Certs Post Handshake

https://reviewboard.mozilla.org/r/221154/#review227066

::: netwerk/protocol/http/nsHttpConnection.cpp:284
(Diff revision 1)
>  
>      MOZ_ASSERT(!mSpdySession || mDid0RTTSpdy);
>  
>      mUsingSpdyVersion = spdyVersion;
>      mEverUsedSpdy = true;
> +    if (sslControl) {

maybe an assert on 'sslControl' here because it shouldn't ever be null here, should it?

Comment 3

[Dana Keeler (she/her) (use needinfo) [:keeler]]

Comment on attachment 8951862 [details]
Bug 1439105 - Ban H2 Client Certs Post Handshake

https://reviewboard.mozilla.org/r/221154/#review227596

PSM changes look good to me. Might be nice to have a test :)

Comment 4

[Pulsebot]

Pushed by mcmanus@ducksong.com:
https://hg.mozilla.org/integration/autoland/rev/c9fd03a815bc
Ban H2 Client Certs Post Handshake r=bagder,keeler

Comment 5

[Tiberius Oros[:tiberius_oros]]

https://hg.mozilla.org/mozilla-central/rev/c9fd03a815bc