From 2eefedb6318cf0ed52c7d62da18e892b78c2dbd0 Mon Sep 17 00:00:00 2001 From: Andrea Panattoni Date: Fri, 20 Oct 2023 12:17:12 +0200 Subject: [PATCH] webhook: Disable HTTP2 by default From docs: net/http/server.go "[...] If TLSNextProto is not nil, HTTP/2 support is not enabled automatically." Server.TLSNextProto Signed-off-by: Andrea Panattoni --- cmd/webhook/start.go | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/cmd/webhook/start.go b/cmd/webhook/start.go index d1973d575..d400a51b3 100644 --- a/cmd/webhook/start.go +++ b/cmd/webhook/start.go @@ -17,9 +17,10 @@ import ( ) var ( - certFile string - keyFile string - port int + certFile string + keyFile string + port int + enableHTTP2 bool ) var ( @@ -48,6 +49,7 @@ func init() { "File containing the default x509 private key matching --tls-cert-file.") startCmd.Flags().IntVar(&port, "port", 443, "Secure port that the webhook listens on") + startCmd.Flags().BoolVar(&enableHTTP2, "enable-http2", false, "If HTTP/2 should be enabled for the metrics and webhook servers.") } // serve handles the http portion of a request prior to handing to an admit @@ -152,6 +154,11 @@ func runStartCmd(cmd *cobra.Command, args []string) { TLSConfig: &tls.Config{ GetCertificate: keyPair.GetCertificateFunc(), }, + // CVE-2023-39325 https://github.com/golang/go/issues/63417 + TLSNextProto: make(map[string]func(*http.Server, *tls.Conn, http.Handler)), + } + if enableHTTP2 { + server.TLSNextProto = nil } err := server.ListenAndServeTLS("", "") if err != nil {