From 43714179b11d2612881903d8e7cdeff2b2ea5665 Mon Sep 17 00:00:00 2001
From: Carlos Goncalves <cgoncalves@redhat.com>
Date: Fri, 20 Oct 2023 13:25:03 +0200
Subject: [PATCH] Disable HTTP/2 by default

Signed-off-by: Carlos Goncalves <cgoncalves@redhat.com>
---
 cmd/webhook/main.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
index 3f005c1d..2497965f 100644
--- a/cmd/webhook/main.go
+++ b/cmd/webhook/main.go
@@ -52,6 +52,7 @@ func main() {
 	insecure := flag.Bool("insecure", false, "Disable adding client CA to server TLS endpoint --insecure")
 	flag.Var(&clientCAPaths, "client-ca", "File containing client CA. This flag is repeatable if more than one client CA needs to be added to server")
 	healthCheckPort := flag.Int("health-check-port", 8444, "The port to use for health check monitoring")
+	enableHTTP2 := flag.Bool("enable-http2", false, "If HTTP/2 should be enabled for the webhook server.")
 
 	// do initialization of control switches flags
 	controlSwitches := controlswitches.SetupControlSwitchesFlags()
@@ -170,6 +171,11 @@ func main() {
 			},
 		}
 
+		// CVE-2023-39325 https://github.com/golang/go/issues/63417
+		if !*enableHTTP2 {
+			httpServer.TLSConfig.NextProtos = []string{"http/1.1"}
+		}
+
 		err := httpServer.ListenAndServeTLS("", "")
 		if err != nil {
 			glog.Fatalf("error starting web server: %v", err)