From 600d4fc4d079b34e115fef6f556925acb338f7e9 Mon Sep 17 00:00:00 2001 From: Lior Okman Date: Thu, 14 Mar 2024 00:53:57 +0200 Subject: [PATCH] fix: QUIC listeners should only advertise HTTP/3 over ALPN, and not HTTP/2 and HTTP/1.1 (#2907) QUIC listeners should only accept HTTP/3, and not advertise HTTP/2 and HTTP/1.1 Signed-off-by: Lior Okman --- internal/xds/translator/listener.go | 19 ++++++++----------- .../testdata/out/xds-ir/http3.listeners.yaml | 2 -- 2 files changed, 8 insertions(+), 13 deletions(-) diff --git a/internal/xds/translator/listener.go b/internal/xds/translator/listener.go index 427cca26bbf..10abde44964 100644 --- a/internal/xds/translator/listener.go +++ b/internal/xds/translator/listener.go @@ -277,12 +277,12 @@ func (t *Translator) addXdsHTTPFilterChain(xdsListener *listenerv3.Listener, irL if irListener.TLS != nil { var tSocket *corev3.TransportSocket if http3Listener { - tSocket, err = buildDownstreamQUICTransportSocket(irListener.TLS, http3Listener) + tSocket, err = buildDownstreamQUICTransportSocket(irListener.TLS) if err != nil { return err } } else { - tSocket, err = buildXdsDownstreamTLSSocket(irListener.TLS, http3Listener) + tSocket, err = buildXdsDownstreamTLSSocket(irListener.TLS) if err != nil { return err } @@ -388,7 +388,7 @@ func addXdsTCPFilterChain(xdsListener *listenerv3.Listener, irListener *ir.TCPLi } if isTLSTerminate { - tSocket, err := buildXdsDownstreamTLSSocket(irListener.TLS.Terminate, false) + tSocket, err := buildXdsDownstreamTLSSocket(irListener.TLS.Terminate) if err != nil { return err } @@ -427,12 +427,12 @@ func addXdsTLSInspectorFilter(xdsListener *listenerv3.Listener) error { return nil } -func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig, http3Listener bool) (*corev3.TransportSocket, error) { +func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSocket, error) { tlsCtx := &quicv3.QuicDownstreamTransport{ DownstreamTlsContext: &tlsv3.DownstreamTlsContext{ CommonTlsContext: &tlsv3.CommonTlsContext{ TlsParams: buildTLSParams(tlsConfig), - AlpnProtocols: buildALPNProtocols(tlsConfig.ALPNProtocols, http3Listener), + AlpnProtocols: []string{"h3"}, }, }, } @@ -468,11 +468,11 @@ func buildDownstreamQUICTransportSocket(tlsConfig *ir.TLSConfig, http3Listener b }, nil } -func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig, http3Listener bool) (*corev3.TransportSocket, error) { +func buildXdsDownstreamTLSSocket(tlsConfig *ir.TLSConfig) (*corev3.TransportSocket, error) { tlsCtx := &tlsv3.DownstreamTlsContext{ CommonTlsContext: &tlsv3.CommonTlsContext{ TlsParams: buildTLSParams(tlsConfig), - AlpnProtocols: buildALPNProtocols(tlsConfig.ALPNProtocols, http3Listener), + AlpnProtocols: buildALPNProtocols(tlsConfig.ALPNProtocols), TlsCertificateSdsSecretConfigs: []*tlsv3.SdsSecretConfig{}, }, } @@ -551,12 +551,9 @@ func buildTLSVersion(version *ir.TLSVersion) tlsv3.TlsParameters_TlsProtocol { return tlsv3.TlsParameters_TLS_AUTO } -func buildALPNProtocols(alpn []string, http3Listener bool) []string { +func buildALPNProtocols(alpn []string) []string { if len(alpn) == 0 { out := []string{"h2", "http/1.1"} - if http3Listener { - out = append(out, "h3") - } return out } return alpn diff --git a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml index 9496615a305..9b4ef729e25 100644 --- a/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml +++ b/internal/xds/translator/testdata/out/xds-ir/http3.listeners.yaml @@ -40,8 +40,6 @@ downstreamTlsContext: commonTlsContext: alpnProtocols: - - h2 - - http/1.1 - h3 tlsCertificateSdsSecretConfigs: - name: envoy-gateway-tls-secret-1