Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Browser won't upgrade to h2 (HTTP/2) although "Upgrade" headers are sent

I'm trying to get h2 (HTTP/2) to work on my webserver. Installed Apache 2.4.20 via the "ondrej" repository. I tested on a Debian 8 and Ubuntu 14.04 server, but I keep running into the same problems. I have OpenSSL 1.0.2 and SSL vhosts running.

The strange thing is that the upgrade headers (Connection: upgrade and Upgrade: h2) are sent. When I do some external server testing I get the responses that h2 is running properly with ALPN support. But the problem is the browsers I tested on (Chrome and FireFox on Win7) won't upgrade to h2.

One thing which I noticed which is missing is the HTTP/2-Settings header, but I can't find anything in any Apache documentation to implement this or force Apache to send this header.

Sadly I couldn't test with cUrl, since the servers I have access to don't support any version which has HTTP/2 support.

My SSL vhost settings:

Protocols h2 http/1.1
SSLEngine On
SSLCACertificateFile xxxxxxxx
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RSA+AES RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !AES128"
Header always set Strict-Transport-Security "max-age=15552000;includeSubDomains"
SSLCertificateFile xxxxxxxx
SSLCertificateKeyFile xxxxxxxx

I'm running Apache with the prefork module instead of with workers.

Who can tell me what's wrong?

like image 628
Jordi Brmn Avatar asked May 19 '16 11:05

Jordi Brmn


2 Answers

In the end I got it to work. It was a matter of changing the "SSLChiperSuite" to this string:

SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-A$

The old one had - so to speak - an option which blocked http2. My SSL test rating is still A+ btw.

like image 186
Jordi Brmn Avatar answered Nov 09 '22 06:11

Jordi Brmn


You cannot upgrade to the h2 protocol.

The HTTP/1.1 upgrade mechanism is something that is initiated by clients.

If I understood you correctly, and you're trying to send the Upgrade and the HTTP2-Settings headers from server to client, then that does not make sense. Clients send those headers, not the server.

Furthermore, while the HTTP/2 protocol itself allows for clear-text communication via a HTTP/1.1 upgrade to h2c (note the c at the end of the protocol name), browser vendors have not implemented this mechanism and only use the HTTP/2 protocol after ALPN negotiation.

In summary:

  • You can upgrade from HTTP/1.1 to HTTP/2 clear text (h2c), but only with non-browser clients such as nghttp. This is explained here.
  • The upgrade mechanism is initiated only by clients, and they will send the Upgrade and HTTP2-Settings headers, not the server.
  • Browsers only support negotiation of HTTP/2 via ALPN (h2). This means that you cannot have clear-text HTTP/2 between a browser and a server.
like image 26
sbordet Avatar answered Nov 09 '22 05:11

sbordet