Browser won't upgrade to h2 (HTTP/2) although "Upgrade" headers are sent

Question

I'm trying to get h2 (HTTP/2) to work on my webserver. Installed Apache 2.4.20 via the "ondrej" repository. I tested on a Debian 8 and Ubuntu 14.04 server, but I keep running into the same problems. I have OpenSSL 1.0.2 and SSL vhosts running.

The strange thing is that the upgrade headers (Connection: upgrade and Upgrade: h2) are sent. When I do some external server testing I get the responses that h2 is running properly with ALPN support. But the problem is the browsers I tested on (Chrome and FireFox on Win7) won't upgrade to h2.

One thing which I noticed which is missing is the HTTP/2-Settings header, but I can't find anything in any Apache documentation to implement this or force Apache to send this header.

Sadly I couldn't test with cUrl, since the servers I have access to don't support any version which has HTTP/2 support.

My SSL vhost settings:

Protocols h2 http/1.1
SSLEngine On
SSLCACertificateFile xxxxxxxx
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RSA+AES RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !AES128"
Header always set Strict-Transport-Security "max-age=15552000;includeSubDomains"
SSLCertificateFile xxxxxxxx
SSLCertificateKeyFile xxxxxxxx

I'm running Apache with the prefork module instead of with workers.

Who can tell me what's wrong?

Answer 1

In the end I got it to work. It was a matter of changing the "SSLChiperSuite" to this string:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-A$

The old one had - so to speak - an option which blocked http2. My SSL test rating is still A+ btw.

Answer 2

You cannot upgrade to the h2 protocol.

The HTTP/1.1 upgrade mechanism is something that is initiated by clients.

If I understood you correctly, and you're trying to send the Upgrade and the HTTP2-Settings headers from server to client, then that does not make sense. Clients send those headers, not the server.

Furthermore, while the HTTP/2 protocol itself allows for clear-text communication via a HTTP/1.1 upgrade to h2c (note the c at the end of the protocol name), browser vendors have not implemented this mechanism and only use the HTTP/2 protocol after ALPN negotiation.

In summary:

• You can upgrade from HTTP/1.1 to HTTP/2 clear text (h2c), but only with non-browser clients such as nghttp. This is explained here.
• The upgrade mechanism is initiated only by clients, and they will send the Upgrade and HTTP2-Settings headers, not the server.
• Browsers only support negotiation of HTTP/2 via ALPN (h2). This means that you cannot have clear-text HTTP/2 between a browser and a server.