On my webserver I'm trying to get H2 (http2) to work. Installed Apache 2.4.20 via the "ondrej" repository. I tested on a Debian 8 and Ubuntu 14.04 server, but I keep running into the same problems. I have OpenSSL 1.0.2 and SSL vhosts running.
The strange thing is that the upgrade headers (Connection: upgrade and Upgrade: h2) are sent. When I do some external server testing I get the responses that h2 is running properly with ALPN support. But the problem is the browsers I tested on (Chrome and FireFox on Win7) won't upgrade to H2.
One thing which I noticed which is missing is the HTTP2-Settings header, but I can't find anything in any Apache documentation to implement this or force Apache to send this header.
Sadly I couldn't test with cUrl, since the servers I have access to don't support any version which has http2 support.
My SSL vhost settings:
Protocols h2 http/1.1
SSLEngine On
SSLCACertificateFile xxxxxxxx
SSLProtocol all -SSLv2 -SSLv3
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RSA+AES RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4 !AES128"
Header always set Strict-Transport-Security "max-age=15552000;includeSubDomains"
SSLCertificateFile xxxxxxxx
SSLCertificateKeyFile xxxxxxxx
I'm running Apache with the prefork module instead of with workers.
Who can tell me what's wrong?
In the end I got it to work. It was a matter of changing the "SSLChiperSuite" to this string:
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-A$
The old one had - so to speak - an option which blocked http2. My SSL test rating is still A+ btw.
You cannot upgrade to the h2
protocol.
The HTTP/1.1 upgrade mechanism is something that is initiated by clients.
If I understood you correctly, and you're trying to send the Upgrade
and the HTTP2-Settings
headers from server to client, then that does not make sense. Clients send those headers, not the server.
Furthermore, while the HTTP/2 protocol itself allows for clear-text communication via a HTTP/1.1 upgrade to h2c
(note the c
at the end of the protocol name), browser vendors have not implemented this mechanism and only use the HTTP/2 protocol after ALPN negotiation.
In summary:
- You can upgrade from HTTP/1.1 to HTTP/2 clear text (
h2c
), but only with non-browser clients such as nghttp. This is explained here.
- The upgrade mechanism is initiated only by clients, and they will send the
Upgrade
and HTTP2-Settings
headers, not the server.
- Browsers only support negotiation of HTTP/2 via ALPN (
h2
). This means that you cannot have clear-text HTTP/2 between a browser and a server.
prefork
You mentioned, that you use prefork mpm. The Apache webserver will not use HTTP/2 if configured with the prefork mpm, it will default back to HTTP 1.1.
*"Disable and give warning when mpm_prefork is encountered. The server will
continue to work, but HTTP/2 will no longer be negotiated."* ([Apache Revision
: SECURITY: CVE-2017-9789: Read after free in mod_http2.][1])
While this may have worked at the time the question is asked, this will not
work currently. Use a different mpm or switch to php-pm and worker or event.
HTTPS
As already mentioned in one of the answers, encryption can be an issue. The server should be configured correctly for HTTPS and requests should be served over HTTPS.
I have the same problem, so i tried out your "solution".
But with this cipherSuite-Code most of all IEs, Androids und Safari will be blocked because of "handshake_failure"!
It testet on https://www.ssllabs.com/ssltest/analyze.html
Do you know which of the cipherSuite-entries did block the HTTP2 (ALPN not available)?