Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Embedded Jetty HTTP/2 not working with Firefox/Chrome but seems ok with Safari

I'm implementing a servlet in an embedded Jetty (9.3.0.v20150612) and I would like to use HTTP/2.

I'm enabling ALPN for protocol negotiation to select either HTTP1.1 or HTTP2. When I'm sending an HTTPs request to my servlet from Safari 8 (supports only HTTP1.1) or Safari 9 (support both HTTP1.1 & HTTP2) I get an answer from my servlet. When I execute the same request from Firefox 39, it doesn't work and I just get NS_ERROR_ABORT. I have the same issue with Chrome.

I have two questions:

  1. Why I don't get answer from Chrome & Firefox
  2. How can I know if with Safari 9, HTTP/2 has been used instead of HTTP1.1? (My IOS9 App is also connecting without issue)

Below is the code to perform the initialization of Jetty

    private void startHTTP2Server() {
    WebServerProperties webProperties = WebServerProperties.getInstance();

    HttpConfiguration config = getHttpConfiguration();

    HttpConnectionFactory http1 = new HttpConnectionFactory(config);
    HTTP2ServerConnectionFactory http2 = new HTTP2ServerConnectionFactory(config);

    NegotiatingServerConnectionFactory.checkProtocolNegotiationAvailable();
    ALPNServerConnectionFactory alpn = new ALPNServerConnectionFactory();
    alpn.setDefaultProtocol(http1.getProtocol()); // sets default protocol to HTTP 1.1

    // SSL Connection Factory
    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath(webProperties.getKeystore());
    sslContextFactory.setKeyStorePassword(webProperties.getKeystorePassword());
    //sslContextFactory.setKeyManagerPassword(KEYSTORE_PW);
    //sslContextFactory.addExcludeCipherSuites(".*RC4.*");
    //sslContextFactory.addExcludeCipherSuites("TLS_DHE_RSA.*");
    sslContextFactory.setProtocol(webProperties.getTLSVersion()); // SEB
    SslConnectionFactory ssl = new SslConnectionFactory(sslContextFactory, alpn.getProtocol());

    Server server = new Server();
    //ServerConnector connector = new ServerConnector(server, ssl, alpn, http2, http1);
    ServerConnector connector = new ServerConnector(server, ssl, alpn, http2, http1);
    connector.setPort(webProperties.getPort());
    server.addConnector(connector);

    // --- SEB
    ServletContextHandler context = new ServletContextHandler(ServletContextHandler.SESSIONS);
    context.setContextPath(webProperties.getServletContext());
    context.setResourceBase(System.getProperty(webProperties.getServletTmpDir()));
    server.setHandler(context);

    // Add dump servlet
    context.addServlet(IMonServer.class, webProperties.getServletPath());

    try {
        server.start();
        server.join();
    } catch (Exception e) {
        // TODO Auto-generated catch block
        e.printStackTrace();
    }
}

private static HttpConfiguration getHttpConfiguration() {
    WebServerProperties webProperties = WebServerProperties.getInstance();
    HttpConfiguration config = new HttpConfiguration();
    config.setSecureScheme("https");
    config.setSecurePort(webProperties.getPort());
    config.setSendXPoweredBy(true);
    config.setSendServerVersion(true);
    config.addCustomizer(new SecureRequestCustomizer());
    return config;
}

When I'm starting the server, I give also the Java option -Xbootclasspath/p:$installDirectory/lib/alpn-boot-8.1.3.v20150130.jar

Is there anything wrong or missing? Thanks for your help,

Regards,

like image 751
sebastien Avatar asked Jul 26 '15 21:07

sebastien


1 Answers

Your code is correct, it just lacks two more lines that are important to get HTTP/2 to work correctly.

When you configure the SslContextFactory, add the lines:

    sslContextFactory.setCipherComparator(HTTP2Cipher.COMPARATOR);
    sslContextFactory.setUseCipherSuitesOrder(true);

What these two lines do is to sort the TLS ciphers to prefer the HTTP/2 ones before the others, and to ask to respect that order.

Without sorting, the server was falling back to an older draft version of HTTP/2 (h2-14) that did not enforce cipher strength, but this is unfortunately rejected by Chrome and Firefox.

I don't know exactly why it is working with Safari: either a Safari bug, or a more relaxed interpretation of the HTTP/2 specification with regard to cipher strength with respect to other browsers.

like image 102
sbordet Avatar answered Sep 30 '22 01:09

sbordet