Skip to content
This repository has been archived by the owner on May 18, 2021. It is now read-only.

Force TLS negotiation to only support HTTP/1.1 - Issue #298? #299

Closed
wants to merge 1 commit into from
Closed

Force TLS negotiation to only support HTTP/1.1 - Issue #298? #299

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 10 additions & 0 deletions lib/okta.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package lib

import (
"bytes"
"crypto/tls"
"encoding/json"
"errors"
"fmt"
Expand Down Expand Up @@ -578,10 +579,19 @@ func (o *OktaClient) Get(method string, path string, data []byte, recv interface
}
}

// FORCE TLS negotiation to only support HTTP/1.1
tlsCfg := &tls.Config{
NextProtos: []string{"h1"},
}

transCfg := &http.Transport{
Proxy: http.ProxyFromEnvironment,
TLSHandshakeTimeout: Timeout,
DisableKeepAlives: true,
MaxIdleConnsPerHost: -1,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are these two settings also necessary?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These weren't required in our repro. DisableKeepAlives makes the client setup a new TLS connection for each request. Though, that's the behavior I'm already seeing without it explicitly set.

TLSClientConfig: tlsCfg,
}

client = http.Client{
Transport: transCfg,
Timeout: Timeout,
Expand Down