Unable to connect to Apache 2.4.41 using HTTP/2

Started by Gene, February 16, 2020, 12:18:13 AM

Previous topic - Next topic

Gene

Hi folks,

I would like to enable my 32-bit Apache web server to support HTTP/2.  Currently my server support https.

I tried using both OpenSSL and Libre SSL 32-bit builds:
httpd-2.4.41-o111c-x86-vc15-r2.zip
httpd-2.4.41-lre302-x86-vc14.zip

The connection to the server is successful, but it is only using HTTP/1.2.

Here's the output from curl:

curl -k --http2 -v https://<my server>:9300
*   Trying <my server>:9300...
* TCP_NODELAY set
* Connected to <my server> port 9300 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / AES128-SHA
* ALPN, server did not agree to a protocol
...
> GET / HTTP/1.1
> Host: <my server>:9300
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
...

Does anybody have any suggestions?

Thanks in advance.

Gregg

Uncomment the LoadModule line for http2 in conf/httpd.conf

Gene

Thanks, Gregg, but I already have http2 module loaded.
Also I have the following directives:

<IfModule http2_module>
#    ProtocolsHonorOrder On
    Protocols h2 http/1.1
</IfModule>

# Remove when done debugging
<IfModule http2_module>
    LogLevel http2:info
</IfModule>

Gene

Gregg

Hmmmm, this is with the current download here with the config we ship. I only uncommented the loadmodule line;

D:\curl>curl -k --http2 -v https://localhost
*   Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_CHACHA20_POLY1305_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=DE; ST=Some-State; O=Apache Haus Distribution Test Certificate; OU=Apache Haus Distribution Test Certificate
*  start date: Apr  6 00:21:34 2012 GMT
*  expire date: Apr  4 00:21:34 2020 GMT
*  issuer: C=DE; ST=Some-State; O=Apache Haus Distribution Test Certificate; OU=Apache Haus Distribution Test Certificate
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x102c7e0)
> GET / HTTP/2
> Host: localhost
> User-Agent: curl/7.64.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 200
< date: Sun, 16 Feb 2020 23:28:19 GMT
< server: Apache/2.4.41 (Win32) OpenSSL/1.1.1c
< last-modified: Wed, 14 Aug 2019 17:48:54 GMT
< etag: "2ed8-590175ee861f0"
< accept-ranges: bytes
< content-length: 11992
< content-type: text/html


Not all ssl ciphers are HTTP/2 compatible and there is a black list. AES128-SHA must not be and sorry I didn't see it before my first answer. OpenSSL says it's a TLS/1.0 cipher so seeing TLS/1.2 connection there is strange.

The current config we ship with Apache uses these for an OpenSSL 1.1.1 build
  SSLHonorCipherOrder on
  SSLProtocol -all +TLSv1.2 +TLSv1.3
  SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!RC4:!LOW:!MD5:!aNULL:!eNULL:!3DES:!EXP:!PSK:!SRP:!DSS
  SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384:TLS_AES_128_GCM_SHA256

Take notice of the two ciphersuite lists, the SSL one is for connections TLS/1.0 - 1.2 and the TLS/1.3 is you guessed it, for TLSv1.3  :)
Also note that the order can also be important

mario

Just my 2 cents: run httpd.exe -M to see if the required module is really loaded