* Restconf native HTTP/2:

* Added option `CLICON_RESTCONF_HTTP2_PLAIN` * if disabled non-tls HTTP/2 is disabled: both direct and upgrade
2021-08-26 16:58:52 +02:00 · 2021-08-26 16:58:52 +02:00 · ef4d082f4b
commit ef4d082f4b
parent 562320dcbc
6 changed files with 240 additions and 5 deletions
--- a/apps/restconf/restconf_evhtp.c
+++ b/apps/restconf/restconf_evhtp.c
@ -430,7 +430,8 @@ evhtp_upgrade_http2(clicon_handle         h,
    char  *settings;
    cxobj *xerr = NULL;
 	
-    if ((str = restconf_param_get(h, "HTTP_UPGRADE")) != NULL){
+    if ((str = restconf_param_get(h, "HTTP_UPGRADE")) != NULL &&
+	clicon_option_bool(h, "CLICON_RESTCONF_HTTP2_PLAIN") == 1){
 	/* Only accept "h2c" */
 	if (strcmp(str, "h2c") != 0){
 	    if (netconf_invalid_value_xml(&xerr, "protocol", "Invalid upgrade token") < 0)
--- a/apps/restconf/restconf_main_native.c
+++ b/apps/restconf/restconf_main_native.c
@ -404,6 +404,12 @@ restconf_verify_certs(int             preverify_ok,
    case X509_V_ERR_HOSTNAME_MISMATCH:
 	clicon_debug(1, "%s X509_V_ERR_HOSTNAME_MISMATCH", __FUNCTION__);
 	break;
+    case X509_V_ERR_CERT_HAS_EXPIRED:
+	clicon_debug(1, "%s X509_V_ERR_CERT_HAS_EXPIRED", __FUNCTION__);
+	break;
+    case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
+	clicon_debug(1, "%s X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT", __FUNCTION__);
+	break;
    }
    /* Catch a too long certificate chain. should be +1 in SSL_CTX_set_verify_depth() */
    if (depth > VERIFY_DEPTH + 1) {
@ -848,6 +854,7 @@ restconf_connection(int   s,
 #ifdef HAVE_LIBNGHTTP2
 	    if (sd->sd_upgrade2){
 		nghttp2_error ngerr;
+
 		/* Switch to http/2 according to RFC 7540 Sec 3.2 and RFC 7230 Sec 6.7 */
 		rc->rc_proto = HTTP_2;
 		if (http2_session_init(rc) < 0){
--- a/apps/restconf/restconf_nghttp2.c
+++ b/apps/restconf/restconf_nghttp2.c
@ -305,10 +305,22 @@ restconf_nghttp2_path(restconf_stream_data *sd)
 	clicon_err(OE_RESTCONF, EINVAL, "arg is NULL");
 	goto done;
    }
-    /* Slightly awkward way of taking SSL cert subject and CN and add it to restconf parameters
-     * instead of accessing it directly */
-    if (rc->rc_ssl != NULL){
-	/* SSL subject fields, eg CN (Common Name) , can add more here? */
+    
+    if (rc->rc_ssl == NULL){
+	if (clicon_option_bool(h, "CLICON_RESTCONF_HTTP2_PLAIN") == 0){
+	    cxobj *xerr = NULL;
+	    
+	    if (netconf_operation_not_supported_xml(&xerr, "protocol", "HTTP/2 plain / non-tls is not allowed") < 0)
+		goto done;
+	    if (api_return_err0(h, sd, xerr, 1, YANG_DATA_JSON, 0) < 0)
+		goto done;
+	    goto ok;
+	}
+    }
+    else {
+	/* Slightly awkward way of taking SSL cert subject and CN and add it to restconf parameters
+	 * instead of accessing it directly 
+	 * SSL subject fields, eg CN (Common Name) , can add more here? */
 	if (ssl_x509_name_oneline(rc->rc_ssl, &oneline) < 0)
 	    goto done;
 	if (oneline != NULL) {
@ -327,6 +339,7 @@ restconf_nghttp2_path(restconf_stream_data *sd)
    }
    else if (api_root_restconf(h, sd, sd->sd_qvec) < 0)
 	goto done;   
+ ok:
    /* Clear (fcgi) paramaters from this request */
    if (restconf_param_del_all(h) < 0)
    	goto done;