Do not advertise disabled protocols via ALPN (#263)

* Do not advertise disabled protocols via ALPN * Fix racy test
mtrudel · Nov 14, 2023 · bb66b65 · bb66b65
1 parent fd8e022
commit bb66b65
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 5 deletions.
diff --git a/lib/bandit.ex b/lib/bandit.ex
@@ -248,9 +248,13 @@ defmodule Bandit do
           {ThousandIsland.Transports.TCP, transport_options, 4000}
 
         :https ->
+          supported_protocols =
+            if(http_2_enabled, do: ["h2"], else: []) ++
+              if http_1_enabled, do: ["http/1.1"], else: []
+
           transport_options =
             Keyword.take(arg, [:ip, :keyfile, :certfile, :otp_app, :cipher_suite])
-            |> Keyword.merge(alpn_preferred_protocols: ["h2", "http/1.1"])
+            |> Keyword.merge(alpn_preferred_protocols: supported_protocols)
             |> then(&(Keyword.get(thousand_island_options, :transport_options, []) ++ &1))
             |> Plug.SSL.configure()
             |> case do

diff --git a/test/bandit/initial_handler_test.exs b/test/bandit/initial_handler_test.exs
@@ -19,11 +19,18 @@ defmodule InitialHandlerTest do
       assert SimpleHTTP1Client.connection_closed_for_reading?(client)
     end
 
-    test "closes connection on HTTP/2 request if so configured", context do
+    test "refuses connection on HTTP/2 request if so configured", context do
       context = https_server(context, http_2_options: [enabled: false])
-      socket = SimpleH2Client.tls_client(context)
-      Transport.send(socket, "PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n")
-      assert Transport.recv(socket, 0) == {:error, :closed}
+
+      assert {:error, {:tls_alert, {:no_application_protocol, _}}} =
+               :ssl.connect(~c"localhost", context[:port],
+                 active: false,
+                 mode: :binary,
+                 nodelay: true,
+                 verify: :verify_peer,
+                 cacertfile: Path.join(__DIR__, "../support/ca.pem"),
+                 alpn_advertised_protocols: ["h2"]
+               )
     end
   end
 

diff --git a/test/bandit/websocket/upgrade_test.exs b/test/bandit/websocket/upgrade_test.exs
@@ -62,6 +62,8 @@ defmodule WebSocketUpgradeTest do
       client = SimpleWebSocketClient.tcp_client(context)
       SimpleWebSocketClient.http1_handshake(client, MyNoopWebSock)
 
+      Process.sleep(100)
+
       assert Bandit.TelemetryCollector.get_events(collector_pid)
              ~> [
                {[:bandit, :request, :stop],