Open
Description
What version of Go are you using (go version)?
$ go version go version go1.20.3 linux/amd64
Does this issue reproduce with the latest release?
yes
What operating system and processor architecture are you using (go env)?
go env
$ go env GO111MODULE="" GOARCH="amd64" GOBIN="" GOCACHE="/home/user/.cache/go-build" GOENV="/home/user/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/home/user/go/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/home/user/go" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.20.3" GCCGO="gccgo" GOAMD64="v1" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/dev/null" GOWORK="" CGO_CFLAGS="-O2 -g" CGO_CPPFLAGS="" CGO_CXXFLAGS="-O2 -g" CGO_FFLAGS="-O2 -g" CGO_LDFLAGS="-O2 -g" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build1335295081=/tmp/go-build -gno-record-gcc-switches"
What did you do?
package main
import (
"crypto/tls"
"flag"
"log"
"os"
)
var localAddr = flag.String("a", ":8765", "local address to listen ([ip]:port)")
var optCert = flag.String("cert", "", "certificate file")
var optCertKey = flag.String("key", "", "certificate key file")
func main() {
log.SetFlags(log.Lshortfile)
flag.Parse()
if *optCert == "" || *optCertKey == "" {
flag.Usage()
os.Exit(1)
}
cer, err := tls.LoadX509KeyPair(*optCert, *optCertKey)
if err != nil {
log.Println(err)
return
}
config := &tls.Config{Certificates: []tls.Certificate{cer}}
config.NextProtos = []string{"h2"}
ln, err := tls.Listen("tcp", *localAddr, config)
if err != nil {
log.Println(err)
return
}
defer ln.Close()
log.Printf("Listening: %v\n", ln.Addr().String())
for {
conn, err := ln.Accept()
if err != nil {
log.Println(err)
continue
}
log.Printf("connection from %s\n", conn.RemoteAddr())
tlsconn, ok := conn.(*tls.Conn)
if !ok {
log.Fatal("not tls conn!")
}
err = tlsconn.Handshake()
if err != nil {
log.Println(err)
continue
}
connState := tlsconn.ConnectionState()
log.Printf("ALPN = %s", connState.NegotiatedProtocol)
// simple echo
go func(c *tls.Conn) {
defer c.Close()
b := make([]byte, 1024)
for {
_, err := c.Read(b)
if err != nil {
break
}
_, err = c.Write(b)
if err != nil {
break
}
}
}(tlsconn)
}
}
go run main.go cert.crt cert.key
then from another terminal:
echo HELLO | openssl s_client -connect localhost:8765
echo HELLO | openssl s_client -connect localhost:8765 -alpn http/1.1
echo HELLO | openssl s_client -connect localhost:8765 -alpn foo
echo HELLO | openssl s_client -connect localhost:8765 -alpn h2
What did you expect to see?
main.go:50: tls: client requested unsupported application protocols ([])
...
main.go:50: tls: client requested unsupported application protocols ([http/1.1])
...
main.go:50: tls: client requested unsupported application protocols ([foo])
...
main.go:54: negociated protocol = h2
What did you see instead?
main.go:54: negociated protocol =
...
main.go:54: negociated protocol =
...
main.go:50: tls: client requested unsupported application protocols ([foo])
...
main.go:54: negociated protocol = h2
With current cpypto/tls and since https://go-review.googlesource.com/c/go/+/325432 ( see #46310 ) we cannot enforce h2 and drop clients asking for http/1.1. cpypto/tls has been specialized/harcoded for net/http instead of been agnostic.
Also there should be an option to accept or not client with no alpn when the server has alpn.
In current state, we have to either clone crypto/tls and modify it or drop the connection at a higher level (which leads to different behaviors/tests, log messages, impact on client & server codes, etc)