Bug 62654 - require ssl does not work for h2 protocol
Summary: require ssl does not work for h2 protocol
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_http2 (show other bugs)
Version: 2.4.34
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2018-08-24 19:32 UTC by Peter 'Pessoft' Kolínek
Modified: 2018-11-23 15:11 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Peter 'Pessoft' Kolínek 2018-08-24 19:32:34 UTC

When "Require ssl" directive is used on a resource and resource is accessed using HTTP/2 protocol over SSL channel, the client is denied the access. When "SSLRequireSSL" directive is used in such configuration instead "Require ssl", the client can access the resource. "Require ssl" should not restrict the access to the resource when HTTP/2 over SSL is used.

For example configuration with mod_ssl and mod_http2:

Protocols h2
<Directory /var/www/html/require>
  require ssl
<Directory /var/www/html/sslrequire>

When client opens https://server.example.org/require/index.html

==> /var/log/httpd/ssl_error_log <==
[Fri Aug 24 19:25:22.500207 2018] [authz_core:error] [pid 632:tid 139848444245760] [client] AH01630: client denied by server configuration: /var/www/html/require/index.html
==> /var/log/httpd/ssl_access_log <== - - [24/Aug/2018:19:25:22 +0000] "GET /require/index.html HTTP/2.0" 403 227
==> /var/log/httpd/ssl_request_log <==
[24/Aug/2018:19:25:22 +0000] TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /require/index.html HTTP/2.0" 227

When client opens https://server.example.org/require/index.html

==> /var/log/httpd/ssl_access_log <== - - [24/Aug/2018:19:26:53 +0000] "GET /sslrequire/index.html HTTP/2.0" 200 7
==> /var/log/httpd/ssl_request_log <==
[24/Aug/2018:19:26:53 +0000] TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /sslrequire/index.html HTTP/2.0" 7
Comment 1 Stefan Eissing 2018-11-08 10:10:29 UTC
Found the time to check this. You are correct. mod_ssl did, in this case, not check correctly on HTTP/2 connections. I fixes this in r1846111 and will propose this for backport to 2.4.x.
Comment 2 Graham Leggett 2018-11-23 15:11:00 UTC
Backported to v2.4.38.