Short version: I believe I've found a bug in the way the server that calls itself "tsa_a" at https://syndication.twitter.com implements RFC7540. It's causing problems for the HTTP2 client software I'm writing because I'm checking for all the error conditions mentioned in the RFC and can't connect to that server sometimes. Anybody has an idea where do I report this since it is not a security vulnerability and it's nowhere near any of the categories mentioned at https://support.twitter.com/forms?
Long version: I have a pcap where after sending connection preface, my client creates a priority tree that includes streams 3, 5, 7, 9, 11. The streams are still in the idle state and the server doesn't like this, so it goes on to close all of them with RST_STREAM message, code STREAM_CLOSED. This is actually a bad idea, since the RFC explicitly states that
" RST_STREAM frames MUST NOT be sent for a stream in the "idle" state.
If a RST_STREAM frame identifying an idle stream is received, the
recipient MUST treat this as a connection error (Section 5.4.1) of
This means that a properly implemented HTTP2 client will sometimes be unable to connect to https://syndication.twitter.com.