Return-Path: 
 <dev-return-84195-apmail-httpd-dev-archive=httpd.apache.org@httpd.apache.org>
X-Original-To: apmail-httpd-dev-archive@www.apache.org
Delivered-To: apmail-httpd-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 50CB7180EE
	for <apmail-httpd-dev-archive@www.apache.org>;
 Sat, 10 Oct 2015 00:14:09 +0000 (UTC)
Received: (qmail 64960 invoked by uid 500); 10 Oct 2015 00:14:08 -0000
Delivered-To: apmail-httpd-dev-archive@httpd.apache.org
Received: (qmail 64886 invoked by uid 500); 10 Oct 2015 00:14:08 -0000
Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: dev@httpd.apache.org
list-help: <mailto:dev-help@httpd.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@httpd.apache.org>
List-Post: <mailto:dev@httpd.apache.org>
List-Id: <dev.httpd.apache.org>
Delivered-To: mailing list dev@httpd.apache.org
Received: (qmail 64876 invoked by uid 99); 10 Oct 2015 00:14:08 -0000
Received: from Unknown (HELO spamd1-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 10 Oct 2015 00:14:08 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org)
 with ESMTP id 3C99AC51CC
	for <dev@httpd.apache.org>; Sat, 10 Oct 2015 00:14:08 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 1.001
X-Spam-Level: *
X-Spam-Status: No, score=1.001 tagged_above=-999 required=6.31
	tests=[KAM_LAZY_DOMAIN_SECURITY=1, URIBL_BLOCKED=0.001]
	autolearn=disabled
Received: from mx1-us-west.apache.org ([10.40.0.8])
	by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new,
 port 10024)
	with ESMTP id xqGJSsWktAqv for <dev@httpd.apache.org>;
	Sat, 10 Oct 2015 00:13:57 +0000 (UTC)
Received: from fed1rmfepo103.cox.net (fed1rmfepo103.cox.net [68.230.241.145])
	by mx1-us-west.apache.org (ASF Mail Server at mx1-us-west.apache.org) with
 ESMTP id 7122C203BC
	for <dev@httpd.apache.org>; Sat, 10 Oct 2015 00:13:56 +0000 (UTC)
Received: from fed1rmimpo209 ([68.230.241.160]) by fed1rmfepo103.cox.net
          (InterMail vM.8.01.05.15 201-2260-151-145-20131218) with ESMTP
          id <20151010001350.BXLV22789.fed1rmfepo103.cox.net@fed1rmimpo209>
          for <dev@httpd.apache.org>; Fri, 9 Oct 2015 20:13:50 -0400
Received: from [192.168.1.33] ([98.176.34.113])
	by fed1rmimpo209 with cox
	id TCDp1r0092STVfm01CDpqV; Fri, 09 Oct 2015 20:13:50 -0400
X-CT-Class: Clean
X-CT-Score: 0.00
X-CT-RefID: str=0001.0A020204.5618583E.007C,ss=1,re=0.000,fgs=0
X-CT-Spam: 0
X-Authority-Analysis: v=2.0 cv=UYSPvtuN c=1 sm=1
 a=8xCO7h6kmYZdHn5tUOQhsw==:17 a=LrjODJgKAAAA:8 a=vI9lsFiWAAAA:8
 a=jK2yl9Vd9GW0tEqhV_4A:9 a=QEXdDO2ut3YA:10 a=XZOSOZVxYpkA:10
 a=8xCO7h6kmYZdHn5tUOQhsw==:117
X-CM-Score: 0.00
Authentication-Results: cox.net; auth=pass (PLAIN) smtp.auth=glewis63@cox.net
Message-ID: <561857BB.3060101@gknw.net>
Date: Fri, 09 Oct 2015 17:11:39 -0700
From: Gregg Smith <gls@gknw.net>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US;
 rv:1.9.2.28) Gecko/20120306 Thunderbird/3.1.20
MIME-Version: 1.0
To: dev@httpd.apache.org
Subject: Re: No luck with `Protocols h2`
References: <561851F7.1000406@gmail.com>
In-Reply-To: <561851F7.1000406@gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi Jacob,
On 10/9/2015 4:47 PM, Jacob Champion wrote:
> Stefan,
>
> I'm trying to test mod_http2 for the 2.4.17 release, but I cannot for 
> the life of me get ALPN and the h2 protocol working together. h2c 
> seems to work, as does http/1.1 over TLS. My hope is that I'm just 
> missing a config directive somewhere; can anyone else confirm that h2 
> negotiation is working for them?
>
> I've attached a few files; hopefully they help.
> - working.txt shows the debug log for an HTTP/1.1 Firefox request that 
> ends in a 404. Note "ALPN selected protocol: 'http/1.1'", so ALPN 
> appears to be functioning there.
> - not_working.txt shows the same request, but after I've added a 
> `Protocols h2 http/1.1`    line and restarted the server. Note the 
> "h2_h2, error reading 24 bytes speculative" line with status "End of 
> file found". Firefox sees a response of zero bytes and does nothing.
> - httpd.conf is my server configuration. (It's the result of trying to 
> strip out huge pieces of the actual conf to see where the error 
> started from; sorry for the mess.)
>
> It's not just Firefox: nghttp also complains that h2 is not being 
> negotiated and refuses to continue with the request. I saw the 
> no-matching-SSL-virtual-host error first and thought that might have 
> something to do with it, but adding ServerAliases didn't seem to help 
> anything.
>
> I'm running on Ubuntu 14.04 with Apache 2.4.17, APR 2.0, OpenSSL 
> 1.0.2d, nghttp2 1.3.4.
>
> Thanks for any wisdom you can provide,
> --Jacob
I'm betting it's the cipher being used ECDHE-RSA-AES256-SHA. OpenSSL says
ECDHE-RSA-AES256-SHA = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

There is a big list of blacklisted ciphers in the RFC 
https://httpwg.github.io/specs/rfc7540.html#BadCipherSuites
You will find that cipher on the list.

I have no real recommendation for you but the RFC states all 
implementations must support
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent 
ECDHE-RSA-AES128-GCM-SHA256.
So it's a starting point.

Happy http/2-ing,

Gregg