Hi Jacob,
On 10/9/2015 4:47 PM, Jacob Champion wrote:
Stefan,
I'm trying to test mod_http2 for the 2.4.17 release, but I cannot for
the life of me get ALPN and the h2 protocol working together. h2c
seems to work, as does http/1.1 over TLS. My hope is that I'm just
missing a config directive somewhere; can anyone else confirm that h2
negotiation is working for them?
I've attached a few files; hopefully they help.
- working.txt shows the debug log for an HTTP/1.1 Firefox request that
ends in a 404. Note "ALPN selected protocol: 'http/1.1'", so ALPN
appears to be functioning there.
- not_working.txt shows the same request, but after I've added a
`Protocols h2 http/1.1` line and restarted the server. Note the
"h2_h2, error reading 24 bytes speculative" line with status "End of
file found". Firefox sees a response of zero bytes and does nothing.
- httpd.conf is my server configuration. (It's the result of trying to
strip out huge pieces of the actual conf to see where the error
started from; sorry for the mess.)
It's not just Firefox: nghttp also complains that h2 is not being
negotiated and refuses to continue with the request. I saw the
no-matching-SSL-virtual-host error first and thought that might have
something to do with it, but adding ServerAliases didn't seem to help
anything.
I'm running on Ubuntu 14.04 with Apache 2.4.17, APR 2.0, OpenSSL
1.0.2d, nghttp2 1.3.4.
Thanks for any wisdom you can provide,
--Jacob
I'm betting it's the cipher being used ECDHE-RSA-AES256-SHA. OpenSSL says
ECDHE-RSA-AES256-SHA = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
There is a big list of blacklisted ciphers in the RFC
https://httpwg.github.io/specs/rfc7540.html#BadCipherSuites
You will find that cipher on the list.
I have no real recommendation for you but the RFC states all
implementations must support
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent
ECDHE-RSA-AES128-GCM-SHA256.
So it's a starting point.
Happy http/2-ing,
Gregg
