6

I setup my Nginx conf as per Digital Ocean paper, and now http2 is available...

But in Chrome (Version 54.0.2840.98 (64-bit)) Dev tool, it's always on HTTP 1/1 :

NAME             METHOD  STATUS  PROTOCOL
shell.js?v=xx..    GET    200     http/1.1

my server is running Ubuntu 16.04 LTS which supports both ALPN & NPN , and the openssl version shipped with it is 1.0.2g

I checked http2 support with this tool siteand the result is :

Yeah! example.com supports HTTP/2.0. ALPN supported...

Also checking with curl is OK

 $ curl -I --http2 https://www.example.com
  HTTP/2 200 
  server: nginx/1.10.0 (Ubuntu)
  date: Tue, 13 Dec 2016 15:59:13 GMT
  content-type: text/html; charset=utf-8
  content-length: 5603
  x-powered-by: Express
  cache-control: public, max-age=0
  etag: W/"15e3-EUyjnNnyevoQO+tRlVVZxg"
  vary: Accept-Encoding
  strict-transport-security: max-age=63072000; includeSubdomains
  x-frame-options: DENY
  x-content-type-options: nosniff

I also checked with is-http2 cli from my console

is-http2 www.amazon.com
× HTTP/2 not supported by www.amazon.com
Supported protocols: http/1.1

is-http2 www.example.com
✓ HTTP/2  supported by www.example.com
Supported protocols: h2 http/1.1

tested with openssl from my localhost

$ echo | openssl s_client -alpn h2 -connect www.example.com:443 | grep ALPN
 depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
 verify return:1
 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 verify return:1
 depth=0 CN = example.com
 verify return:1
 ALPN protocol: h2
 DONE

why Chrome is left behind it ? How can I check it also with Safari (v 10.0.1)

erwin
  • 171
  • 1
  • 1
  • 6
  • @yoonix What relevance does that have here? He appears to have already done that. – Michael Hampton Dec 13 '16 at 18:44
  • @MichaelHampton Yep, you're right. Looks like I've got as lazy in my reading as most people are in their posting. Deleted. –  Dec 13 '16 at 18:55
  • 3
    I'm voting to close this question as off-topic because it's cross posted from Stack Overflow – Tim Dec 13 '16 at 19:38
  • At someone at SO's suggestion! Off-topic it, if you want - but for a better reason than that! – Barry Pollard Dec 13 '16 at 19:47
  • @all_comments It's was x-posted because someone on Stack Overflow commented it should be posted in Server Fault and not Stack Overflow ! so I did ... you could be more explicit in your comments for people who don't know yet all of the 'church' codes... – erwin Dec 14 '16 at 06:44
  • It's worth checking your OS, if you're running something other than Ubuntu 16.04, you're likely going to have this issue between Nginx + Chrome, due to openssl version incompatibilities. More info here: https://www.nginx.com/blog/supporting-http2-google-chrome-users/ – WillNewby Apr 20 '17 at 16:21

1 Answers1

17

As per my answer on StackOverflow:

Will likely be one of two reasons:

  1. You are using anti-virus software and it is MITM your traffic and so downgrading you to HTTP/1.1. Turn off https traffic monitoring on your AV to connect directly to the server.

  2. You are using older TLS ciphers and specifically one that Chrome disallows for HTTP/2 (https://http2.github.io/http2-spec/#BadCipherSuites) as per Step 5 of above guide. Scan your site using https://www.ssllabs.com/ssltest/ to check your TLS config and improve it.

The third reason is lack of ALPN support in your SSL/TLS library (i.e. You are using openssl 1.0.1 and need to be one 1.0.2 or later, for example) but you have already confirmed you have ALPN support so skipping that for this answer.

Barry Pollard
  • 4,461
  • 14
  • 26
  • thanks I am actually using an anti-virus software... I excluded my 'example.com' domain from scanning ... and it work ! Without your help I'd never found it .. it's not documented anywhere in my readings... You're the best ( vs all first comments to my post : bette voting 'off topic' than accepting the fact that they don't know . Nobody is perfect – erwin Dec 14 '16 at 06:55
  • Np. The only way AV can listen on to HTTP/2 traffic is by redirecting traffic to it, reading the traffic, and then it making a connection to the actual site. However since AV software does not HTTP2 yet, you see what you see. Tricky one to figure out if you don't know what you're looking for. – Barry Pollard Dec 14 '16 at 07:21
  • And don't take too much offence at the closing thing. They're just trying to keep the site useful. And, although I thought that was the wrong call here, people have a right to suggest that, but only if a moderator agrees will it be closed. One thing I would say on that topic is there's a few questions about this on both sites, though none mentioning nginx hence why I thought worth answering rather than just refer to them, but I could (and probably really should have) just have easily suggested to close it "as possible duplicate of XXX" without meaning offence either. Welcome to Stack Exchange! – Barry Pollard Dec 14 '16 at 07:27
  • Bitdefender made me lose 2 hours of my life. Thank you for your answer. – Iansen Sep 08 '19 at 10:40