I have a issue with my apache configuration. Server don't respond with HTTP/2:
$ curl -v --http2 https://localhost/
Trying ::1...
TCP_NODELAY set
Connected to localhost (::1) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/cert.pem
CApath: none
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS change cipher, Client hello (1):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server accepted to use http/1.1
Server certificate:
subject: C=CL; ST=Valparaiso; L=Hanga Roa; O=Hereveri Blog; CN=localhost; emailAddress=contacto@hereveri.cl
start date: Oct 10 17:51:15 2017 GMT
expire date: Oct 20 17:51:15 2018 GMT
subjectAltName: host "localhost" matched cert's "localhost"
issuer: C=CL; ST=Valparaiso; O=Hereveri Blog; CN=Hereveri Blog Intermediate; emailAddress=contacto@hereveri.cl
SSL certificate verify ok.
GET / HTTP/1.1
Host: localhost
User-Agent: curl/7.54.0
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 11 Oct 2017 04:44:05 GMT
Server: Apache/2.4.27 (Unix) LibreSSL/2.2.7 PHP/7.1.7
Strict-Transport-Security: max-age=15768000
Upgrade: h2
Connection: Upgrade
Last-Modified: Wed, 11 Oct 2017 03:52:53 GMT
ETag: "72-55b3d5bb0cf40"
Accept-Ranges: bytes
Content-Length: 114
Vary: Accept-Encoding
Content-Type: text/html
I use a LibreSSL 2.2.7 version of openssl to generate my certificates and Apache/2.4.27 for the server, provided in MacOS High Sierra.
The virtual host configuration:
Listen 443 https
<VirtualHost *:443>
ProtocolsHonorOrder On
Protocols h2 http/1.1
H2Direct on
ServerAdmin contacto@hereveri.cl
DocumentRoot "/Users/nelson/localhost"
ServerName localhost
ErrorLog "/Users/nelson/logs/localhost-secure-error_log"
CustomLog "/Users/nelson/logs/localhost-secure-access_log" common
SSLEngine on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
SSLCertificateChainFile /etc/apache2/ssl/ca-chain.crt
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
I check the SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 against the TLS 1.2 Cipher Suite Black List.
And test openssl with that Cipher.
$ openssl s_client -connect localhost:443 -alpn 'h2'
CONNECTED(00000005)
depth=2 C = CL, ST = Valparaiso, L = Hanga Roa, O = Hereveri Blog, CN = Hereveri Blog, emailAddress = contacto@hereveri.cl
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=localhost/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
1 s:/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
2 s:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/jCCA+agAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAkNM
MRMwEQYDVQQIDApWYWxwYXJhaXNvMRYwFAYDVQQKDA1IZXJldmVyaSBCbG9nMSMw
IQYDVQQDDBpIZXJldmVyaSBCbG9nIEludGVybWVkaWF0ZTEjMCEGCSqGSIb3DQEJ
ARYUY29udGFjdG9AaGVyZXZlcmkuY2wwHhcNMTcxMDEwMTc1MTE1WhcNMTgxMDIw
MTc1MTE1WjCBhzELMAkGA1UEBhMCQ0wxEzARBgNVBAgMClZhbHBhcmFpc28xEjAQ
BgNVBAcMCUhhbmdhIFJvYTEWMBQGA1UECgwNSGVyZXZlcmkgQmxvZzESMBAGA1UE
AwwJbG9jYWxob3N0MSMwIQYJKoZIhvcNAQkBFhRjb250YWN0b0BoZXJldmVyaS5j
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMspMwmK2uXAagMr8Ehk
MlbT65xsYGDMtMeKS7tHeREqyxDT4eFYhPxpaysZiYi8qVTV+UOXUIYMOVPSTOt5
Pi3xZHEDI5ksQeN4SHEUORsC/TrdOzGnuok9xqRinetbw3lVCiIHT8J1YPuK1eqs
IJkBfxxGsozeHtIqUUP9uCqJtee6RCLzCX5x9TyGHdzJ119IWBNvoCnjszfy5xce
RA7tWiHLVADjYn2qP4Z+ygu3LO6YUhREiXSz0d2XeN2QkRVpjgtaQaRbMXjYVB3I
Vl9qiCVv3s54N4hE3aTetlztwtfl6KiPowzGDXAimIkuMBWvfAJpxqMpvr/dCKkC
SOsCAwEAAaOCAXMwggFvMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMG
CWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFFXkNlktvmRpS86rRcXBeAKTaTtqMIG5BgNVHSMEgbEwga6A
FGI2DKBocboYIepbP4Scj1qXI4TYoYGRpIGOMIGLMQswCQYDVQQGEwJDTDETMBEG
A1UECAwKVmFscGFyYWlzbzESMBAGA1UEBwwJSGFuZ2EgUm9hMRYwFAYDVQQKDA1I
ZXJldmVyaSBCbG9nMRYwFAYDVQQDDA1IZXJldmVyaSBCbG9nMSMwIQYJKoZIhvcN
AQkBFhRjb250YWN0b0BoZXJldmVyaS5jbIICEAAwDgYDVR0PAQH/BAQDAgWgMBMG
A1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
BgkqhkiG9w0BAQsFAAOCAgEARea21L8UrkpR93tksQEeo8NN6pTIbd/SFWL1BBfy
t3IwmM6/mhFjMNGQ7hr7uG5N8c/JsJ9TGWq0pYZIgGe8WQNLC3PZaru8Nby4lu7i
rYPOQgtAkZ1JiAHjGATTvnunkMT6xfIPj0DEZJ3p8J9ILt6oq0ZUVuj2fljJiZ/P
P0s/LLi6qnTHP+DTJaqsqGVLotCvbGclf5AJD+ru0mKrAH7HCRm2zTI/R5dKiQaQ
zEV6zQDvSsVsCWOAupKVGvzeqJkNdMYsH04vebrSX2jWlJyr/qP4a4CCjVqyVe8H
vr9C7811Bqa713ewspEEorc8KnAbdE6X3/x+OoxSX9r4tnY2Yz81U05ifCrYJFGh
TrBZDZtthm0o+dUsL+mgey02qZ1gEvry2+mfRllzE2n7/yP8fP6or3cI3T9zsXhS
KN8k9XapnuDKsflHrwg9NhjCvKkLjErCMot6m4EB+P0od4xllRi5hztKUrwMxuN9
Sjwgvemxjf4w9FYEmOFTLQUD77BPi7Kgas+UtV76a0J2x/vrpS+lTy5ds4OqsmMs
WcEk/aH3R4dtQbuPA4m+GVw1poiZMMLCu4rsbu8Yz+nvABeKgZcym4SxgKsZYepn
EXunpihZ9+2ocn6y550LMasJsgvtNgoqh5xfeRknqEfHF0SMQIheBRAyrluIg2TX
uaI=
-----END CERTIFICATE-----
subject=/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=localhost/emailAddress=contacto@hereveri.cl
issuer=/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
---
No client certificate CA names sent
---
SSL handshake has read 5390 bytes and written 533 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
ALPN protocol: http/1.1
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 13230CAD937A6B82AE34F5E6730E6BFF154ECA2E391BB36D8F589BCDD36C1749
Session-ID-ctx:
Master-Key: A801C895B29E56182A97A6ADC4C6A798CA4B94F2BAA1A25D71D4669C4B4D58175D6C5A840C74 AFDCFE15237CD62CE7CF
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 05 b3 94 9b 42 7d 90 6c-47 32 d7 8a fb 56 f2 41 ....B}.lG2...V.A
0010 - e0 b5 4a b4 5b 7c 21 cc-ec b9 11 a1 04 27 d7 2d ..J.[|!......'.-
0020 - 3d 23 0b f8 4a 75 dc 5c-bb b0 c3 0c c4 3b 2e 4b =#..Ju.\.....;.K
0030 - 02 4f 89 1a 6d bf ec ca-e2 d1 a3 7c 47 36 70 54 .O..m......|G6pT
0040 - 2e ca eb d7 c9 26 76 c6-1f a9 d0 07 33 ae 99 ca .....&v.....3...
0050 - 27 f5 cc e3 56 0a 1c 27-66 5c a4 0f a8 f4 8a 07 '...V..'f\......
0060 - c0 3b 68 28 37 cf a0 48-38 41 7c 47 f2 fb af 13 .;h(7..H8A|G....
0070 - 40 d8 9e 8e 1f dc 6d 90-9f c3 af d7 7d 40 00 ce @.....m.....}@..
0080 - cb 79 a4 66 cf 92 37 af-3b 75 aa 16 5f 63 4f 9c .y.f..7.;u.._cO.
0090 - 74 d2 a9 36 5f 04 4f a6-a7 b8 3c d3 ae 97 88 16 t..6_.O...<.....
00a0 - 2d 9e aa e7 60 24 52 43-4b ce 9a 2d 0c 19 49 8f -...`$RCK..-..I.
00b0 - 2f 26 31 da cf 08 a4 d7-f7 23 4f 83 94 82 67 d6 /&1......#O...g.
Start Time: 1507777559
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Some core:debug lines:
protocol.c(2220): [client ::1:52046] AH03155: select protocol from h2,http/1.1, choices=h2,http/1.1 for server localhost
protocol.c(2264): [client ::1:52046] AH03156: select protocol, proposals=http/1.1 preferences=h2,http/1.1 configured=h2,http/1.1
protocol.c(2284): [client ::1:52046] AH03157: selected protocol=http/1.1
Any tip? Thanks in advance!
Another reason for lack of HTTP/2 support in Apache is that since version 2.4.27, the Apache MPM (Multi-Processing Module) prefork no longer supports HTTP/2 - so you'll need to use another MPM mode like worker or event. You'll see this message in your error log for each attempted H2 connection:
AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
The Apache foundation has an HTTP/2 guide where it also mentions that even before Apache stopped supporting H2 with prefork mode there would be severe restrictions when one tried to use H2 with prefork mode. Also note if you're using lib_php then you'll have to take another approach (e.g. use fastCGI) as it is only supported by prefork mode.