You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@trafficserver.apache.org by 彭勇 <pp...@pubyun.com> on 2017/03/12 09:55:36 UTC
http2 support on chrome
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
$ curl -vso /dev/null --http2 https://test.yaako.com
<<<
* Rebuilt URL to: https://test.yaako.com/
* Trying 118.184.176.21...
* TCP_NODELAY set
* Connected to test.yaako.com (118.184.176.21) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/openssl/cert.pem
CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [129 bytes data]
* NPN, negotiated HTTP2 (h2)
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2471 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [42 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [7 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
} [36 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=test.yaako.com
* start date: Mar 12 01:50:00 2017 GMT
* expire date: Jun 10 01:50:00 2017 GMT
* subjectAltName: host "test.yaako.com" matched cert's "test.yaako.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x7fc19c801600)
} [5 bytes data]
> GET / HTTP/2
> Host: test.yaako.com
> User-Agent: curl/7.53.1
> Accept: */*
>
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
< HTTP/2 200
< server: nginx/1.10.2
< date: Sun, 12 Mar 2017 09:52:35 GMT
< content-type: text/html
< content-length: 1958
< last-modified: Fri, 03 Mar 2017 04:34:32 GMT
< etag: "58b8f258-7a6"
< accept-ranges: bytes
< age: 0
< via: http/1.1 h118-184-176-21 (ats/6.2.x)
<
{ [5 bytes data]
* Connection #0 to host test.yaako.com left intact
--
Peng Yong
Re: http2 support on chrome
Posted by 彭勇 <pp...@pubyun.com>.
redhat bugzilla #1276310 said Fixed In Version: openssl-1.0.2k-1.el7.
and i found a 1.0.2k package:
https://copr-be.cloud.fedoraproject.org/results/bitshaka/openssl-lts/epel-7-x86_64/00504994-openssl/
https://copr.fedorainfracloud.org/coprs/bitshaka/
Rebuild openssl-1.0.2 packages from https://koji.fedoraproject.org/
for CentOS/RHEL 7.x Motivation The OpenSSL version shipped is rather
outdated, and, more importantly will not be supported any more. Also
available is the 1.0.2 series. This is also our Long Term Support
(LTS) version (support will be provided until 31st December 2019). The
1.0.1 version is currently only receiving security bug fixes and all
support will be discontinued for this version on 31st December 2016.
OpenSSL Download Page Note The built packages should be binary
compatible with all packages that depend on OpenSSL currently shipped
with CentOS/RHEL 7.x (judging from the head of the specfile 1.0.0
soversion = 10) Features OpenSSL 1.0.2 includes a number of
improvements, most importantly, support for ALPN (e.i. enabling
HTTP2). For a full list have a look at
https://www.openssl.org/news/openssl-1.0.2-notes.html.
then i upgrade to 1.0.2k.
after i recompile traffic server, it works now.
On Sun, Mar 12, 2017 at 11:41 PM, Reindl Harald <h....@thelounge.net> wrote:
>
>
> Am 12.03.2017 um 16:21 schrieb Leif Hedstrom:
>>
>> You can always build your own OpenSSL, installed in a separate directory
>> (don't mess with the system OpenSSL). And then tell ATS configure to use
>> that tree. That's what most of us do on the older distros.
>
>
> yes, but then you no longer use trafficserver-6.2.1-2.el7.centos.x86_64 as
> RPM beause you have to build ATS also at your own
>
> when the machine is a dedicated proxy you no longer have many reasons using
> CentOS at all and can at the same time go to a recent ATS version which just
> overrides the distro packages (dunno what Fedora currently ships as example)
>
> [root@proxy:~]$ rpm -q trafficserver
> trafficserver-7.0.0-1.fc24.20170120.rh.x86_64
>
> [root@proxy:~]$ rpm -q --filesbypkg trafficserver
> trafficserver /etc/ld.so.conf.d/trafficserver-x86_64.conf
> trafficserver /etc/trafficserver
> trafficserver /etc/trafficserver/body_factory
> trafficserver /etc/trafficserver/body_factory/default
> trafficserver /etc/trafficserver/body_factory/default/.body_factory_info
> trafficserver /etc/trafficserver/internal
> trafficserver /etc/trafficserver/snapshots
> trafficserver /etc/trafficserver/ssl
> trafficserver /etc/trafficserver/trafficserver-release
> trafficserver /run/trafficserver
> trafficserver /usr/bin/traffic_cop
> trafficserver /usr/bin/traffic_crashlog
> trafficserver /usr/bin/traffic_ctl
> trafficserver /usr/bin/traffic_layout
> trafficserver /usr/bin/traffic_logcat
> trafficserver /usr/bin/traffic_logstats
> trafficserver /usr/bin/traffic_manager
> trafficserver /usr/bin/traffic_server
> trafficserver /usr/bin/traffic_top
> trafficserver /usr/bin/traffic_via
> trafficserver /usr/lib/systemd/system/trafficserver.service
> trafficserver /usr/lib/tmpfiles.d/trafficserver.conf
> trafficserver /usr/lib64/trafficserver
> trafficserver /usr/lib64/trafficserver/libatscppapi.so.7
> trafficserver /usr/lib64/trafficserver/libatscppapi.so.7.0.0
> trafficserver /usr/lib64/trafficserver/libtsconfig.so.7
> trafficserver /usr/lib64/trafficserver/libtsconfig.so.7.0.0
> trafficserver /usr/lib64/trafficserver/libtsmgmt.so.7
> trafficserver /usr/lib64/trafficserver/libtsmgmt.so.7.0.0
> trafficserver /usr/lib64/trafficserver/libtsutil.so.7
> trafficserver /usr/lib64/trafficserver/libtsutil.so.7.0.0
> trafficserver /var/cache/trafficserver
> trafficserver /var/log/trafficserver
>
>
>>> On Mar 12, 2017, at 9:18 AM, 彭勇 <pp...@pubyun.com> wrote:
>>>
>>> openssl 1.0.2 will be ready for RHEL 7.4.
>>>
>>> i can't find a solution to upgrade openssl for centos 7.3 now, as
>>> openssl is a base library of the system.
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1276310
>>>
>>>> On Sun, Mar 12, 2017 at 11:11 PM, Reindl Harald <h....@thelounge.net>
>>>> wrote:
>>>>
>>>>
>>>>> Am 12.03.2017 um 15:03 schrieb Masaori Koshiba:
>>>>>
>>>>> Hi Peng,
>>>>>
>>>>> If I remember correctly, Chrome stopped NPN support last year. From
>>>>> your
>>>>> log, your ATS is using NPN only.
>>>>> If you're using OpenSSL, the version could be old. OpenSSL has ALPN
>>>>> support from 1.0.2.
>>>>
>>>>
>>>>
>>>> and RHEL7 has only 1.0.1
>>>> openssl-1.0.1e-60.el7_3.1.x86_64
>>>>
>>>> that' why we are running Fedora for nearly everything for a deacde now
>>>> because all that LTS stuff becomes way too fast annyoing - it's fine for
>>>> storage devices and routers / firewalls and for hosting legacy crap but
>>>> that's it
>>>>
>>>>>> * NPN, negotiated HTTP2 (h2)
>>>>>> ALPN, server did not agree to a protocol
>>>>
>>>>
>>>>
>>>> https://www.ssllabs.com/ssltest/
>>>>
>>>>> 2017年3月12日(日) 20:49 彭勇 <ppyy@pubyun.com <ma...@pubyun.com>>:
>>>>>
>>>>> i install 6.2.1 stable version on centos 7.
>>>>>
>>>>> $ rpm -qa|grep traffic
>>>>> trafficserver-6.2.1-2.el7.centos.x86_64
>>>>>
>>>>> yes, curl can works fine with http2. and chrome choose http 1.1.
>>>>>
>>>>> On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
>>>>> <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Am 12.03.2017 um 10:55 schrieb 彭勇:
>>>>>>>
>>>>>>> i setup a ATS, then enable ssl and http2.
>>>>>>>
>>>>>>> curl shows ATS works fine. and chrome 56 shows it use protocal http
>>>>>>> 1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
>>>>>>> between chrome and ATS?
>>>>>>>
>>>>>>> how can i serve http2 for chrome?
>>>>>>
>>>>>>
>>>>>>
>>>>>> i doubt that you need anything to do, at least with ATS 7.0 curl
>>>>>
>>>>> don't need
>>>>>>
>>>>>> any param and choses HTTP2 automatically and so every browser can
>>>>>
>>>>> do - maybe
>>>>>>
>>>>>> your ATS is just outdated?
>>>>>>
>>>>>> [harry@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
>>>>>> HTTP/2.0 200
>>>>>> date:Sun, 12 Mar 2017 10:38:55 GMT
>>>>>> x-dns-prefetch-control:off
>>>>>> x-content-type-options:nosniff
>>>>>> x-response-time:D=5111 us
>>>>>> last-modified:Thu, 03 Sep 2015 09:04:29 GMT
>>>>>> expires:Sun, 12 Mar 2017 12:38:55 GMT
>>>>>> cache-control:public, proxy-revalidate
>>>>>> etag:04ea5ea0c7b43fd2fb3ee18d68b96557
>>>>>> vary:Accept-Encoding,User-Agent
>>>>>> content-type:text/html; charset=ISO-8859-1
>>>>>> age:6
>>>>>> content-length:11658
--
Peng Yong
Re: http2 support on chrome
Posted by Reindl Harald <h....@thelounge.net>.
Am 12.03.2017 um 16:21 schrieb Leif Hedstrom:
> You can always build your own OpenSSL, installed in a separate directory (don't mess with the system OpenSSL). And then tell ATS configure to use that tree. That's what most of us do on the older distros.
yes, but then you no longer use trafficserver-6.2.1-2.el7.centos.x86_64
as RPM beause you have to build ATS also at your own
when the machine is a dedicated proxy you no longer have many reasons
using CentOS at all and can at the same time go to a recent ATS version
which just overrides the distro packages (dunno what Fedora currently
ships as example)
[root@proxy:~]$ rpm -q trafficserver
trafficserver-7.0.0-1.fc24.20170120.rh.x86_64
[root@proxy:~]$ rpm -q --filesbypkg trafficserver
trafficserver /etc/ld.so.conf.d/trafficserver-x86_64.conf
trafficserver /etc/trafficserver
trafficserver /etc/trafficserver/body_factory
trafficserver /etc/trafficserver/body_factory/default
trafficserver
/etc/trafficserver/body_factory/default/.body_factory_info
trafficserver /etc/trafficserver/internal
trafficserver /etc/trafficserver/snapshots
trafficserver /etc/trafficserver/ssl
trafficserver /etc/trafficserver/trafficserver-release
trafficserver /run/trafficserver
trafficserver /usr/bin/traffic_cop
trafficserver /usr/bin/traffic_crashlog
trafficserver /usr/bin/traffic_ctl
trafficserver /usr/bin/traffic_layout
trafficserver /usr/bin/traffic_logcat
trafficserver /usr/bin/traffic_logstats
trafficserver /usr/bin/traffic_manager
trafficserver /usr/bin/traffic_server
trafficserver /usr/bin/traffic_top
trafficserver /usr/bin/traffic_via
trafficserver /usr/lib/systemd/system/trafficserver.service
trafficserver /usr/lib/tmpfiles.d/trafficserver.conf
trafficserver /usr/lib64/trafficserver
trafficserver /usr/lib64/trafficserver/libatscppapi.so.7
trafficserver /usr/lib64/trafficserver/libatscppapi.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsconfig.so.7
trafficserver /usr/lib64/trafficserver/libtsconfig.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsmgmt.so.7
trafficserver /usr/lib64/trafficserver/libtsmgmt.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsutil.so.7
trafficserver /usr/lib64/trafficserver/libtsutil.so.7.0.0
trafficserver /var/cache/trafficserver
trafficserver /var/log/trafficserver
>> On Mar 12, 2017, at 9:18 AM, \u5f6d\u52c7 <pp...@pubyun.com> wrote:
>>
>> openssl 1.0.2 will be ready for RHEL 7.4.
>>
>> i can't find a solution to upgrade openssl for centos 7.3 now, as
>> openssl is a base library of the system.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=1276310
>>
>>> On Sun, Mar 12, 2017 at 11:11 PM, Reindl Harald <h....@thelounge.net> wrote:
>>>
>>>
>>>> Am 12.03.2017 um 15:03 schrieb Masaori Koshiba:
>>>>
>>>> Hi Peng,
>>>>
>>>> If I remember correctly, Chrome stopped NPN support last year. From your
>>>> log, your ATS is using NPN only.
>>>> If you're using OpenSSL, the version could be old. OpenSSL has ALPN
>>>> support from 1.0.2.
>>>
>>>
>>> and RHEL7 has only 1.0.1
>>> openssl-1.0.1e-60.el7_3.1.x86_64
>>>
>>> that' why we are running Fedora for nearly everything for a deacde now
>>> because all that LTS stuff becomes way too fast annyoing - it's fine for
>>> storage devices and routers / firewalls and for hosting legacy crap but
>>> that's it
>>>
>>>>> * NPN, negotiated HTTP2 (h2)
>>>>> ALPN, server did not agree to a protocol
>>>
>>>
>>> https://www.ssllabs.com/ssltest/
>>>
>>>> 2017\u5e743\u670812\u65e5(\u65e5) 20:49 \u5f6d\u52c7 <ppyy@pubyun.com <ma...@pubyun.com>>:
>>>>
>>>> i install 6.2.1 stable version on centos 7.
>>>>
>>>> $ rpm -qa|grep traffic
>>>> trafficserver-6.2.1-2.el7.centos.x86_64
>>>>
>>>> yes, curl can works fine with http2. and chrome choose http 1.1.
>>>>
>>>> On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
>>>> <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>>>>>
>>>>>
>>>>>> Am 12.03.2017 um 10:55 schrieb \u5f6d\u52c7:
>>>>>>
>>>>>> i setup a ATS, then enable ssl and http2.
>>>>>>
>>>>>> curl shows ATS works fine. and chrome 56 shows it use protocal http
>>>>>> 1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
>>>>>> between chrome and ATS?
>>>>>>
>>>>>> how can i serve http2 for chrome?
>>>>>
>>>>>
>>>>> i doubt that you need anything to do, at least with ATS 7.0 curl
>>>> don't need
>>>>> any param and choses HTTP2 automatically and so every browser can
>>>> do - maybe
>>>>> your ATS is just outdated?
>>>>>
>>>>> [harry@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
>>>>> HTTP/2.0 200
>>>>> date:Sun, 12 Mar 2017 10:38:55 GMT
>>>>> x-dns-prefetch-control:off
>>>>> x-content-type-options:nosniff
>>>>> x-response-time:D=5111 us
>>>>> last-modified:Thu, 03 Sep 2015 09:04:29 GMT
>>>>> expires:Sun, 12 Mar 2017 12:38:55 GMT
>>>>> cache-control:public, proxy-revalidate
>>>>> etag:04ea5ea0c7b43fd2fb3ee18d68b96557
>>>>> vary:Accept-Encoding,User-Agent
>>>>> content-type:text/html; charset=ISO-8859-1
>>>>> age:6
>>>>> content-length:11658
Re: http2 support on chrome
Posted by Leif Hedstrom <zw...@apache.org>.
You can always build your own OpenSSL, installed in a separate directory (don't mess with the system OpenSSL). And then tell ATS configure to use that tree. That's what most of us do on the older distros.
-- Leif
> On Mar 12, 2017, at 9:18 AM, 彭勇 <pp...@pubyun.com> wrote:
>
> openssl 1.0.2 will be ready for RHEL 7.4.
>
> i can't find a solution to upgrade openssl for centos 7.3 now, as
> openssl is a base library of the system.
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1276310
>
>> On Sun, Mar 12, 2017 at 11:11 PM, Reindl Harald <h....@thelounge.net> wrote:
>>
>>
>>> Am 12.03.2017 um 15:03 schrieb Masaori Koshiba:
>>>
>>> Hi Peng,
>>>
>>> If I remember correctly, Chrome stopped NPN support last year. From your
>>> log, your ATS is using NPN only.
>>> If you're using OpenSSL, the version could be old. OpenSSL has ALPN
>>> support from 1.0.2.
>>
>>
>> and RHEL7 has only 1.0.1
>> openssl-1.0.1e-60.el7_3.1.x86_64
>>
>> that' why we are running Fedora for nearly everything for a deacde now
>> because all that LTS stuff becomes way too fast annyoing - it's fine for
>> storage devices and routers / firewalls and for hosting legacy crap but
>> that's it
>>
>>>> * NPN, negotiated HTTP2 (h2)
>>>> ALPN, server did not agree to a protocol
>>
>>
>> https://www.ssllabs.com/ssltest/
>>
>>> 2017年3月12日(日) 20:49 彭勇 <ppyy@pubyun.com <ma...@pubyun.com>>:
>>>
>>> i install 6.2.1 stable version on centos 7.
>>>
>>> $ rpm -qa|grep traffic
>>> trafficserver-6.2.1-2.el7.centos.x86_64
>>>
>>> yes, curl can works fine with http2. and chrome choose http 1.1.
>>>
>>> On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
>>> <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>>>>
>>>>
>>>>> Am 12.03.2017 um 10:55 schrieb 彭勇:
>>>>>
>>>>> i setup a ATS, then enable ssl and http2.
>>>>>
>>>>> curl shows ATS works fine. and chrome 56 shows it use protocal http
>>>>> 1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
>>>>> between chrome and ATS?
>>>>>
>>>>> how can i serve http2 for chrome?
>>>>
>>>>
>>>> i doubt that you need anything to do, at least with ATS 7.0 curl
>>> don't need
>>>> any param and choses HTTP2 automatically and so every browser can
>>> do - maybe
>>>> your ATS is just outdated?
>>>>
>>>> [harry@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
>>>> HTTP/2.0 200
>>>> date:Sun, 12 Mar 2017 10:38:55 GMT
>>>> x-dns-prefetch-control:off
>>>> x-content-type-options:nosniff
>>>> x-response-time:D=5111 us
>>>> last-modified:Thu, 03 Sep 2015 09:04:29 GMT
>>>> expires:Sun, 12 Mar 2017 12:38:55 GMT
>>>> cache-control:public, proxy-revalidate
>>>> etag:04ea5ea0c7b43fd2fb3ee18d68b96557
>>>> vary:Accept-Encoding,User-Agent
>>>> content-type:text/html; charset=ISO-8859-1
>>>> age:6
>>>> content-length:11658
>>>
>>>
>>>
>>> --
>>> Peng Yong
>>>
>>
>> --
>>
>> Reindl Harald
>> the lounge interactive design GmbH
>> A-1060 Vienna, Hofmühlgasse 17
>> CTO / CISO / Software-Development
>> m: +43 676 40 221 40
>> p: +43 1 595 3999 33
>> http://www.thelounge.net/
>
>
>
> --
> Peng Yong
Re: http2 support on chrome
Posted by 彭勇 <pp...@pubyun.com>.
openssl 1.0.2 will be ready for RHEL 7.4.
i can't find a solution to upgrade openssl for centos 7.3 now, as
openssl is a base library of the system.
https://bugzilla.redhat.com/show_bug.cgi?id=1276310
On Sun, Mar 12, 2017 at 11:11 PM, Reindl Harald <h....@thelounge.net> wrote:
>
>
> Am 12.03.2017 um 15:03 schrieb Masaori Koshiba:
>>
>> Hi Peng,
>>
>> If I remember correctly, Chrome stopped NPN support last year. From your
>> log, your ATS is using NPN only.
>> If you're using OpenSSL, the version could be old. OpenSSL has ALPN
>> support from 1.0.2.
>
>
> and RHEL7 has only 1.0.1
> openssl-1.0.1e-60.el7_3.1.x86_64
>
> that' why we are running Fedora for nearly everything for a deacde now
> because all that LTS stuff becomes way too fast annyoing - it's fine for
> storage devices and routers / firewalls and for hosting legacy crap but
> that's it
>
>>> * NPN, negotiated HTTP2 (h2)
>>> ALPN, server did not agree to a protocol
>
>
> https://www.ssllabs.com/ssltest/
>
>> 2017年3月12日(日) 20:49 彭勇 <ppyy@pubyun.com <ma...@pubyun.com>>:
>>
>> i install 6.2.1 stable version on centos 7.
>>
>> $ rpm -qa|grep traffic
>> trafficserver-6.2.1-2.el7.centos.x86_64
>>
>> yes, curl can works fine with http2. and chrome choose http 1.1.
>>
>> On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
>> <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
>> >
>> >
>> > Am 12.03.2017 um 10:55 schrieb 彭勇:
>> >>
>> >> i setup a ATS, then enable ssl and http2.
>> >>
>> >> curl shows ATS works fine. and chrome 56 shows it use protocal http
>> >> 1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
>> >> between chrome and ATS?
>> >>
>> >> how can i serve http2 for chrome?
>> >
>> >
>> > i doubt that you need anything to do, at least with ATS 7.0 curl
>> don't need
>> > any param and choses HTTP2 automatically and so every browser can
>> do - maybe
>> > your ATS is just outdated?
>> >
>> > [harry@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
>> > HTTP/2.0 200
>> > date:Sun, 12 Mar 2017 10:38:55 GMT
>> > x-dns-prefetch-control:off
>> > x-content-type-options:nosniff
>> > x-response-time:D=5111 us
>> > last-modified:Thu, 03 Sep 2015 09:04:29 GMT
>> > expires:Sun, 12 Mar 2017 12:38:55 GMT
>> > cache-control:public, proxy-revalidate
>> > etag:04ea5ea0c7b43fd2fb3ee18d68b96557
>> > vary:Accept-Encoding,User-Agent
>> > content-type:text/html; charset=ISO-8859-1
>> > age:6
>> > content-length:11658
>>
>>
>>
>> --
>> Peng Yong
>>
>
> --
>
> Reindl Harald
> the lounge interactive design GmbH
> A-1060 Vienna, Hofmühlgasse 17
> CTO / CISO / Software-Development
> m: +43 676 40 221 40
> p: +43 1 595 3999 33
> http://www.thelounge.net/
--
Peng Yong
Re: http2 support on chrome
Posted by Reindl Harald <h....@thelounge.net>.
Am 12.03.2017 um 15:03 schrieb Masaori Koshiba:
> Hi Peng,
>
> If I remember correctly, Chrome stopped NPN support last year. From your
> log, your ATS is using NPN only.
> If you're using OpenSSL, the version could be old. OpenSSL has ALPN
> support from 1.0.2.
and RHEL7 has only 1.0.1
openssl-1.0.1e-60.el7_3.1.x86_64
that' why we are running Fedora for nearly everything for a deacde now
because all that LTS stuff becomes way too fast annyoing - it's fine for
storage devices and routers / firewalls and for hosting legacy crap but
that's it
>> * NPN, negotiated HTTP2 (h2)
>> ALPN, server did not agree to a protocol
https://www.ssllabs.com/ssltest/
> 2017\u5e743\u670812\u65e5(\u65e5) 20:49 \u5f6d\u52c7 <ppyy@pubyun.com <ma...@pubyun.com>>:
>
> i install 6.2.1 stable version on centos 7.
>
> $ rpm -qa|grep traffic
> trafficserver-6.2.1-2.el7.centos.x86_64
>
> yes, curl can works fine with http2. and chrome choose http 1.1.
>
> On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
> <h.reindl@thelounge.net <ma...@thelounge.net>> wrote:
> >
> >
> > Am 12.03.2017 um 10:55 schrieb \u5f6d\u52c7:
> >>
> >> i setup a ATS, then enable ssl and http2.
> >>
> >> curl shows ATS works fine. and chrome 56 shows it use protocal http
> >> 1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
> >> between chrome and ATS?
> >>
> >> how can i serve http2 for chrome?
> >
> >
> > i doubt that you need anything to do, at least with ATS 7.0 curl
> don't need
> > any param and choses HTTP2 automatically and so every browser can
> do - maybe
> > your ATS is just outdated?
> >
> > [harry@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
> > HTTP/2.0 200
> > date:Sun, 12 Mar 2017 10:38:55 GMT
> > x-dns-prefetch-control:off
> > x-content-type-options:nosniff
> > x-response-time:D=5111 us
> > last-modified:Thu, 03 Sep 2015 09:04:29 GMT
> > expires:Sun, 12 Mar 2017 12:38:55 GMT
> > cache-control:public, proxy-revalidate
> > etag:04ea5ea0c7b43fd2fb3ee18d68b96557
> > vary:Accept-Encoding,User-Agent
> > content-type:text/html; charset=ISO-8859-1
> > age:6
> > content-length:11658
>
>
>
> --
> Peng Yong
>
--
Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofm�hlgasse 17
CTO / CISO / Software-Development
m: +43 676 40 221 40
p: +43 1 595 3999 33
http://www.thelounge.net/
Re: http2 support on chrome
Posted by Masaori Koshiba <ma...@apache.org>.
Hi Peng,
If I remember correctly, Chrome stopped NPN support last year. From your
log, your ATS is using NPN only.
If you're using OpenSSL, the version could be old. OpenSSL has ALPN support
from 1.0.2.
> * NPN, negotiated HTTP2 (h2)
> ALPN, server did not agree to a protocol
Thanks,
Masaori
2017年3月12日(日) 20:49 彭勇 <pp...@pubyun.com>:
> i install 6.2.1 stable version on centos 7.
>
> $ rpm -qa|grep traffic
> trafficserver-6.2.1-2.el7.centos.x86_64
>
> yes, curl can works fine with http2. and chrome choose http 1.1.
>
> On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald <h....@thelounge.net>
> wrote:
> >
> >
> > Am 12.03.2017 um 10:55 schrieb 彭勇:
> >>
> >> i setup a ATS, then enable ssl and http2.
> >>
> >> curl shows ATS works fine. and chrome 56 shows it use protocal http
> >> 1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
> >> between chrome and ATS?
> >>
> >> how can i serve http2 for chrome?
> >
> >
> > i doubt that you need anything to do, at least with ATS 7.0 curl don't
> need
> > any param and choses HTTP2 automatically and so every browser can do -
> maybe
> > your ATS is just outdated?
> >
> > [harry@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
> > HTTP/2.0 200
> > date:Sun, 12 Mar 2017 10:38:55 GMT
> > x-dns-prefetch-control:off
> > x-content-type-options:nosniff
> > x-response-time:D=5111 us
> > last-modified:Thu, 03 Sep 2015 09:04:29 GMT
> > expires:Sun, 12 Mar 2017 12:38:55 GMT
> > cache-control:public, proxy-revalidate
> > etag:04ea5ea0c7b43fd2fb3ee18d68b96557
> > vary:Accept-Encoding,User-Agent
> > content-type:text/html; charset=ISO-8859-1
> > age:6
> > content-length:11658
>
>
>
> --
> Peng Yong
>
Re: http2 support on chrome
Posted by 彭勇 <pp...@pubyun.com>.
i install 6.2.1 stable version on centos 7.
$ rpm -qa|grep traffic
trafficserver-6.2.1-2.el7.centos.x86_64
yes, curl can works fine with http2. and chrome choose http 1.1.
On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald <h....@thelounge.net> wrote:
>
>
> Am 12.03.2017 um 10:55 schrieb 彭勇:
>>
>> i setup a ATS, then enable ssl and http2.
>>
>> curl shows ATS works fine. and chrome 56 shows it use protocal http
>> 1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
>> between chrome and ATS?
>>
>> how can i serve http2 for chrome?
>
>
> i doubt that you need anything to do, at least with ATS 7.0 curl don't need
> any param and choses HTTP2 automatically and so every browser can do - maybe
> your ATS is just outdated?
>
> [harry@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
> HTTP/2.0 200
> date:Sun, 12 Mar 2017 10:38:55 GMT
> x-dns-prefetch-control:off
> x-content-type-options:nosniff
> x-response-time:D=5111 us
> last-modified:Thu, 03 Sep 2015 09:04:29 GMT
> expires:Sun, 12 Mar 2017 12:38:55 GMT
> cache-control:public, proxy-revalidate
> etag:04ea5ea0c7b43fd2fb3ee18d68b96557
> vary:Accept-Encoding,User-Agent
> content-type:text/html; charset=ISO-8859-1
> age:6
> content-length:11658
--
Peng Yong
Re: http2 support on chrome
Posted by Reindl Harald <h....@thelounge.net>.
Am 12.03.2017 um 10:55 schrieb \u5f6d\u52c7:
> i setup a ATS, then enable ssl and http2.
>
> curl shows ATS works fine. and chrome 56 shows it use protocal http
> 1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
> between chrome and ATS?
>
> how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl don't
need any param and choses HTTP2 automatically and so every browser can
do - maybe your ATS is just outdated?
[harry@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658