> From: openssl-users <openssl-users-boun...@openssl.org> On Behalf Of Osman > Zakir > Sent: Friday, 28 August, 2020 11:52
> As I said in the subject, I want to know how to parse the ClientHello message > to find the HTTP/2 upgrade request if it's there. I've never had to do this myself, but my understanding is that a client can request HTTP/2 in the ClientHello using ALPN. So presumably on the server side you want to register an ALPN callback with SSL_CTX_set_alpn_select_cb. What you *shouldn't* be doing, if you're using OpenSSL, is parsing any TLS message yourself. Of course, HTTP/2 upgrade can also be done at the HTTP protocol level, which seems like a far more sensible choice to me. > I need to write code for supporting HTTP/2 myself if I want that. Here's the real question: Why would you want HTTP/2? HTTP/2 offers only marginal advantages over HTTP/1.1 for most applications. Its main justification is for server farms handling huge workloads. And, frankly, even for that use case I tend to agree with Poul-Henning Kamp (https://cacm.acm.org/magazines/2015/3/183605-http-2-0/fulltext). HTTP/2 is a lousy protocol created to cater to the needs of a handful of large industry players. By supporting it, you're substantially increasing your attack surface and adding complexity, both of which are Really Bad Ideas for security. If you must have HTTP/2, I recommend negotiating it at the HTTP protocol level. Don't add complexity at the crypto-protocol level (i.e. TLS) if you don't have to. That's a recipe for vulnerabilities. -- Michael Wojcik
