httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gregg Smith <...@gknw.net>
Subject Re: No luck with `Protocols h2`
Date Sat, 10 Oct 2015 00:11:39 GMT
Hi Jacob,
On 10/9/2015 4:47 PM, Jacob Champion wrote:
> Stefan,
>
> I'm trying to test mod_http2 for the 2.4.17 release, but I cannot for 
> the life of me get ALPN and the h2 protocol working together. h2c 
> seems to work, as does http/1.1 over TLS. My hope is that I'm just 
> missing a config directive somewhere; can anyone else confirm that h2 
> negotiation is working for them?
>
> I've attached a few files; hopefully they help.
> - working.txt shows the debug log for an HTTP/1.1 Firefox request that 
> ends in a 404. Note "ALPN selected protocol: 'http/1.1'", so ALPN 
> appears to be functioning there.
> - not_working.txt shows the same request, but after I've added a 
> `Protocols h2 http/1.1`    line and restarted the server. Note the 
> "h2_h2, error reading 24 bytes speculative" line with status "End of 
> file found". Firefox sees a response of zero bytes and does nothing.
> - httpd.conf is my server configuration. (It's the result of trying to 
> strip out huge pieces of the actual conf to see where the error 
> started from; sorry for the mess.)
>
> It's not just Firefox: nghttp also complains that h2 is not being 
> negotiated and refuses to continue with the request. I saw the 
> no-matching-SSL-virtual-host error first and thought that might have 
> something to do with it, but adding ServerAliases didn't seem to help 
> anything.
>
> I'm running on Ubuntu 14.04 with Apache 2.4.17, APR 2.0, OpenSSL 
> 1.0.2d, nghttp2 1.3.4.
>
> Thanks for any wisdom you can provide,
> --Jacob
I'm betting it's the cipher being used ECDHE-RSA-AES256-SHA. OpenSSL says
ECDHE-RSA-AES256-SHA = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

There is a big list of blacklisted ciphers in the RFC 
https://httpwg.github.io/specs/rfc7540.html#BadCipherSuites
You will find that cipher on the list.

I have no real recommendation for you but the RFC states all 
implementations must support
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent 
ECDHE-RSA-AES128-GCM-SHA256.
So it's a starting point.

Happy http/2-ing,

Gregg

Mime
View raw message