You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jacob Champion <ch...@gmail.com> on 2015/10/10 01:47:03 UTC
No luck with `Protocols h2`
Stefan,
I'm trying to test mod_http2 for the 2.4.17 release, but I cannot for
the life of me get ALPN and the h2 protocol working together. h2c seems
to work, as does http/1.1 over TLS. My hope is that I'm just missing a
config directive somewhere; can anyone else confirm that h2 negotiation
is working for them?
I've attached a few files; hopefully they help.
- working.txt shows the debug log for an HTTP/1.1 Firefox request that
ends in a 404. Note "ALPN selected protocol: 'http/1.1'", so ALPN
appears to be functioning there.
- not_working.txt shows the same request, but after I've added a
`Protocols h2 http/1.1` line and restarted the server. Note the "h2_h2,
error reading 24 bytes speculative" line with status "End of file
found". Firefox sees a response of zero bytes and does nothing.
- httpd.conf is my server configuration. (It's the result of trying to
strip out huge pieces of the actual conf to see where the error started
from; sorry for the mess.)
It's not just Firefox: nghttp also complains that h2 is not being
negotiated and refuses to continue with the request. I saw the
no-matching-SSL-virtual-host error first and thought that might have
something to do with it, but adding ServerAliases didn't seem to help
anything.
I'm running on Ubuntu 14.04 with Apache 2.4.17, APR 2.0, OpenSSL 1.0.2d,
nghttp2 1.3.4.
Thanks for any wisdom you can provide,
--Jacob
Re: No luck with `Protocols h2`
Posted by Jacob Champion <ch...@gmail.com>.
On 10/10/2015 12:20 AM, Stefan Eissing wrote:
> In the meantime, I have prepped a howto h2 to point people to in order to give/collect some advice. http://icing.github.io/mod_h2/howto.html
>
> That will, once stable become part of the official docs.
Great, thanks! That is very helpful. One bit of feedback: in the Firefox
section you say that
> Among the response headers, you see this strange X-Firefox-Spdy entry
> listing "h2". That is the indication that HTTP/2 is used on this
> https: connection.
Another (possibly more future-proof?) indicator in that Network Headers
panel is the "Version: HTTP/2.0" field that is underneath the Status
Code and above the search bar.
>> Am 10.10.2015 um 02:24 schrieb Jacob Champion <ch...@gmail.com>:
>>
>>>(Haven't figured out the nghttp failure yet though.) Thanks Gregg!
For those following at home, and to save anyone else the trouble...
nghttp still wasn't working, so I
- built Wireshark trunk to get HTTP/2 dissection for the stream, but I
still couldn't decrypt the ephemeral ciphers, so I
- installed an LD_PRELOAD shim to get the pre-master secret keys only to
find that the encrypted alerts were simply disconnection notices, then
noticed that
- NPN was being sent in the Client Hello instead of ALPN, which is
probably because
- my nghttp is using my system OpenSSL (1.0.1) instead of my latest
compile (1.0.2).
The bleeding edge is fun. :)
In any case, I've now got an httpbin instance running in mod_passenger
over HTTP/2, which is very cool. I was originally hoping to help with
the vote, but now that I've discovered my binaries are mismatched, I
wouldn't trust my test results anyway. Maybe next time.
Good luck with the release!
--Jacob
Re: No luck with `Protocols h2`
Posted by Stefan Eissing <st...@greenbytes.de>.
Glad that Gregg pointed you the right way.
Yes, I'll add that to the todos. There should be a better spec compliance check configurable in the server that gives at least logs for clients that do not comply and are turned down.
In the meantime, I have prepped a howto h2 to point people to in order to give/collect some advice. http://icing.github.io/mod_h2/howto.html
That will, once stable become part of the official docs.
> Am 10.10.2015 um 02:24 schrieb Jacob Champion <ch...@gmail.com>:
>
>> On 10/09/2015 05:11 PM, Gregg Smith wrote:
>> I have no real recommendation for you but the RFC states all
>> implementations must support
>> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent
>> ECDHE-RSA-AES128-GCM-SHA256.
>> So it's a starting point.
>
> Perfect! After pulling it up front with
>
> SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4
>
> all appears to be working with Firefox. (Haven't figured out the nghttp failure yet though.) Thanks Gregg!
>
> So, there's some feedback for the module then: that's a really strange failure mode. It would be nice if something in the logs reflected the bad cipher in use, and/or the documentation pointed this interaction out. (Or maybe it already does and I just overlooked it?)
>
> --Jacob
>
Re: No luck with `Protocols h2`
Posted by Jacob Champion <ch...@gmail.com>.
On 10/09/2015 05:11 PM, Gregg Smith wrote:
> I have no real recommendation for you but the RFC states all
> implementations must support
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent
> ECDHE-RSA-AES128-GCM-SHA256.
> So it's a starting point.
Perfect! After pulling it up front with
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4
all appears to be working with Firefox. (Haven't figured out the nghttp
failure yet though.) Thanks Gregg!
So, there's some feedback for the module then: that's a really strange
failure mode. It would be nice if something in the logs reflected the
bad cipher in use, and/or the documentation pointed this interaction
out. (Or maybe it already does and I just overlooked it?)
--Jacob
Re: No luck with `Protocols h2`
Posted by Gregg Smith <gl...@gknw.net>.
Hi Jacob,
On 10/9/2015 4:47 PM, Jacob Champion wrote:
> Stefan,
>
> I'm trying to test mod_http2 for the 2.4.17 release, but I cannot for
> the life of me get ALPN and the h2 protocol working together. h2c
> seems to work, as does http/1.1 over TLS. My hope is that I'm just
> missing a config directive somewhere; can anyone else confirm that h2
> negotiation is working for them?
>
> I've attached a few files; hopefully they help.
> - working.txt shows the debug log for an HTTP/1.1 Firefox request that
> ends in a 404. Note "ALPN selected protocol: 'http/1.1'", so ALPN
> appears to be functioning there.
> - not_working.txt shows the same request, but after I've added a
> `Protocols h2 http/1.1` line and restarted the server. Note the
> "h2_h2, error reading 24 bytes speculative" line with status "End of
> file found". Firefox sees a response of zero bytes and does nothing.
> - httpd.conf is my server configuration. (It's the result of trying to
> strip out huge pieces of the actual conf to see where the error
> started from; sorry for the mess.)
>
> It's not just Firefox: nghttp also complains that h2 is not being
> negotiated and refuses to continue with the request. I saw the
> no-matching-SSL-virtual-host error first and thought that might have
> something to do with it, but adding ServerAliases didn't seem to help
> anything.
>
> I'm running on Ubuntu 14.04 with Apache 2.4.17, APR 2.0, OpenSSL
> 1.0.2d, nghttp2 1.3.4.
>
> Thanks for any wisdom you can provide,
> --Jacob
I'm betting it's the cipher being used ECDHE-RSA-AES256-SHA. OpenSSL says
ECDHE-RSA-AES256-SHA = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
There is a big list of blacklisted ciphers in the RFC
https://httpwg.github.io/specs/rfc7540.html#BadCipherSuites
You will find that cipher on the list.
I have no real recommendation for you but the RFC states all
implementations must support
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent
ECDHE-RSA-AES128-GCM-SHA256.
So it's a starting point.
Happy http/2-ing,
Gregg