On 2023-10-16 (Mo.) 20:12, Lukas Tribus wrote:
On Mon, 16 Oct 2023 at 19:41, Aleksandar Lazic <al-hapr...@none.at> wrote:
On 2023-10-16 (Mo.) 19:29, Илья Шипицин wrote:
Does 1.8 support http/2?
No.
Actually haproxy 1.8 supports H2 (without implementing HTX), as per
the documentation and announcements:
https://www.mail-archive.com/haproxy@formilux.org/msg28004.html
http://docs.haproxy.org/1.8/configuration.html#5.1-alpn
It does so by downgrading H2 to HTTP/1.1.
I don't know whether haproxy 1.8 actually is affected by the rapid
reset vulnerability or not. I suppose it's possible.
Well as far as I have understood the attack in a proper way, is the
request in HTTP/2 mode and stay in that Mode, which isn't the case in
1.8. As you already mentioned was in 1.8 the HTTP/2 request "converted"
into HTTP/1 and 1.9 is the first version which supports end2end HTTP/2.
To be more precise here the quote from above announcement
```
- HTTP/2 will not schedule a graceful connection shutdown anymore when
seeing a "Connection: close" header in a response. Instead a new HTTP
action "reject" has been implemented to work like its TCP counter-part.
```
This implies that the connection does not stay open and the attack could
not work.
But maybe there is a better explanation why 1.8 is not affected.
Lukas
Regards
Alex
