Discussion:
http2 support on chrome
彭勇
2017-03-12 09:55:36 UTC
Permalink
i setup a ATS, then enable ssl and http2.

curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?

how can i serve http2 for chrome?

$ curl -vso /dev/null --http2 https://test.yaako.com

<<<
* Rebuilt URL to: https://test.yaako.com/
* Trying 118.184.176.21...
* TCP_NODELAY set
* Connected to test.yaako.com (118.184.176.21) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /usr/local/etc/openssl/cert.pem
CApath: /usr/local/etc/openssl/certs
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [129 bytes data]
* NPN, negotiated HTTP2 (h2)
{ [5 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2471 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
{ [42 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
} [7 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Unknown (67):
} [36 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=test.yaako.com
* start date: Mar 12 01:50:00 2017 GMT
* expire date: Jun 10 01:50:00 2017 GMT
* subjectAltName: host "test.yaako.com" matched cert's "test.yaako.com"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
} [5 bytes data]
* Using Stream ID: 1 (easy handle 0x7fc19c801600)
} [5 bytes data]
GET / HTTP/2
Host: test.yaako.com
User-Agent: curl/7.53.1
Accept: */*
{ [5 bytes data]
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
} [5 bytes data]
< HTTP/2 200
< server: nginx/1.10.2
< date: Sun, 12 Mar 2017 09:52:35 GMT
< content-type: text/html
< content-length: 1958
< last-modified: Fri, 03 Mar 2017 04:34:32 GMT
< etag: "58b8f258-7a6"
< accept-ranges: bytes
< age: 0
< via: http/1.1 h118-184-176-21 (ats/6.2.x)
<
{ [5 bytes data]
* Connection #0 to host test.yaako.com left intact
--
Peng Yong
Reindl Harald
2017-03-12 10:40:37 UTC
Permalink
Post by 彭勇
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl don't
need any param and choses HTTP2 automatically and so every browser can
do - maybe your ATS is just outdated?

[***@srv-rhsoft:~]$ curl --head https://www.thelounge.net/
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658
彭勇
2017-03-12 10:44:59 UTC
Permalink
i install 6.2.1 stable version on centos 7.

$ rpm -qa|grep traffic
trafficserver-6.2.1-2.el7.centos.x86_64

yes, curl can works fine with http2. and chrome choose http 1.1.
Post by 彭勇
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl don't need
any param and choses HTTP2 automatically and so every browser can do - maybe
your ATS is just outdated?
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658
--
Peng Yong
Masaori Koshiba
2017-03-12 14:03:25 UTC
Permalink
Hi Peng,

If I remember correctly, Chrome stopped NPN support last year. From your
log, your ATS is using NPN only.
If you're using OpenSSL, the version could be old. OpenSSL has ALPN support
from 1.0.2.
Post by 彭勇
* NPN, negotiated HTTP2 (h2)
ALPN, server did not agree to a protocol
Thanks,
Masaori
Post by 彭勇
i install 6.2.1 stable version on centos 7.
$ rpm -qa|grep traffic
trafficserver-6.2.1-2.el7.centos.x86_64
yes, curl can works fine with http2. and chrome choose http 1.1.
Post by Reindl Harald
Post by 彭勇
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl don't
need
Post by Reindl Harald
any param and choses HTTP2 automatically and so every browser can do -
maybe
Post by Reindl Harald
your ATS is just outdated?
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658
--
Peng Yong
Reindl Harald
2017-03-12 15:11:04 UTC
Permalink
Post by Masaori Koshiba
Hi Peng,
If I remember correctly, Chrome stopped NPN support last year. From your
log, your ATS is using NPN only.
If you're using OpenSSL, the version could be old. OpenSSL has ALPN
support from 1.0.2.
and RHEL7 has only 1.0.1
openssl-1.0.1e-60.el7_3.1.x86_64

that' why we are running Fedora for nearly everything for a deacde now
because all that LTS stuff becomes way too fast annyoing - it's fine for
storage devices and routers / firewalls and for hosting legacy crap but
that's it
Post by Masaori Koshiba
Post by 彭勇
* NPN, negotiated HTTP2 (h2)
ALPN, server did not agree to a protocol
https://www.ssllabs.com/ssltest/
Post by Masaori Koshiba
i install 6.2.1 stable version on centos 7.
$ rpm -qa|grep traffic
trafficserver-6.2.1-2.el7.centos.x86_64
yes, curl can works fine with http2. and chrome choose http 1.1.
On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
Post by 彭勇
Post by 彭勇
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl
don't need
Post by 彭勇
any param and choses HTTP2 automatically and so every browser can
do - maybe
Post by 彭勇
your ATS is just outdated?
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658
--
Peng Yong
--
Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
m: +43 676 40 221 40
p: +43 1 595 3999 33
http://www.thelounge.net/
彭勇
2017-03-12 15:18:11 UTC
Permalink
openssl 1.0.2 will be ready for RHEL 7.4.

i can't find a solution to upgrade openssl for centos 7.3 now, as
openssl is a base library of the system.

https://bugzilla.redhat.com/show_bug.cgi?id=1276310
Post by Reindl Harald
Post by Masaori Koshiba
Hi Peng,
If I remember correctly, Chrome stopped NPN support last year. From your
log, your ATS is using NPN only.
If you're using OpenSSL, the version could be old. OpenSSL has ALPN
support from 1.0.2.
and RHEL7 has only 1.0.1
openssl-1.0.1e-60.el7_3.1.x86_64
that' why we are running Fedora for nearly everything for a deacde now
because all that LTS stuff becomes way too fast annyoing - it's fine for
storage devices and routers / firewalls and for hosting legacy crap but
that's it
Post by Masaori Koshiba
Post by 彭勇
* NPN, negotiated HTTP2 (h2)
ALPN, server did not agree to a protocol
https://www.ssllabs.com/ssltest/
Post by Masaori Koshiba
i install 6.2.1 stable version on centos 7.
$ rpm -qa|grep traffic
trafficserver-6.2.1-2.el7.centos.x86_64
yes, curl can works fine with http2. and chrome choose http 1.1.
On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
Post by 彭勇
Post by 彭勇
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl
don't need
Post by 彭勇
any param and choses HTTP2 automatically and so every browser can
do - maybe
Post by 彭勇
your ATS is just outdated?
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658
--
Peng Yong
--
Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
m: +43 676 40 221 40
p: +43 1 595 3999 33
http://www.thelounge.net/
--
Peng Yong
Leif Hedstrom
2017-03-12 15:21:47 UTC
Permalink
You can always build your own OpenSSL, installed in a separate directory (don't mess with the system OpenSSL). And then tell ATS configure to use that tree. That's what most of us do on the older distros.

-- Leif
Post by 彭勇
openssl 1.0.2 will be ready for RHEL 7.4.
i can't find a solution to upgrade openssl for centos 7.3 now, as
openssl is a base library of the system.
https://bugzilla.redhat.com/show_bug.cgi?id=1276310
Post by Reindl Harald
Post by Masaori Koshiba
Hi Peng,
If I remember correctly, Chrome stopped NPN support last year. From your
log, your ATS is using NPN only.
If you're using OpenSSL, the version could be old. OpenSSL has ALPN
support from 1.0.2.
and RHEL7 has only 1.0.1
openssl-1.0.1e-60.el7_3.1.x86_64
that' why we are running Fedora for nearly everything for a deacde now
because all that LTS stuff becomes way too fast annyoing - it's fine for
storage devices and routers / firewalls and for hosting legacy crap but
that's it
Post by Masaori Koshiba
Post by 彭勇
* NPN, negotiated HTTP2 (h2)
ALPN, server did not agree to a protocol
https://www.ssllabs.com/ssltest/
Post by Masaori Koshiba
i install 6.2.1 stable version on centos 7.
$ rpm -qa|grep traffic
trafficserver-6.2.1-2.el7.centos.x86_64
yes, curl can works fine with http2. and chrome choose http 1.1.
On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
Post by 彭勇
Post by 彭勇
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl
don't need
Post by 彭勇
any param and choses HTTP2 automatically and so every browser can
do - maybe
Post by 彭勇
your ATS is just outdated?
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658
--
Peng Yong
--
Reindl Harald
the lounge interactive design GmbH
A-1060 Vienna, Hofmühlgasse 17
CTO / CISO / Software-Development
m: +43 676 40 221 40
p: +43 1 595 3999 33
http://www.thelounge.net/
--
Peng Yong
Reindl Harald
2017-03-12 15:41:26 UTC
Permalink
Post by Leif Hedstrom
You can always build your own OpenSSL, installed in a separate directory (don't mess with the system OpenSSL). And then tell ATS configure to use that tree. That's what most of us do on the older distros.
yes, but then you no longer use trafficserver-6.2.1-2.el7.centos.x86_64
as RPM beause you have to build ATS also at your own

when the machine is a dedicated proxy you no longer have many reasons
using CentOS at all and can at the same time go to a recent ATS version
which just overrides the distro packages (dunno what Fedora currently
ships as example)

[***@proxy:~]$ rpm -q trafficserver
trafficserver-7.0.0-1.fc24.20170120.rh.x86_64

[***@proxy:~]$ rpm -q --filesbypkg trafficserver
trafficserver /etc/ld.so.conf.d/trafficserver-x86_64.conf
trafficserver /etc/trafficserver
trafficserver /etc/trafficserver/body_factory
trafficserver /etc/trafficserver/body_factory/default
trafficserver
/etc/trafficserver/body_factory/default/.body_factory_info
trafficserver /etc/trafficserver/internal
trafficserver /etc/trafficserver/snapshots
trafficserver /etc/trafficserver/ssl
trafficserver /etc/trafficserver/trafficserver-release
trafficserver /run/trafficserver
trafficserver /usr/bin/traffic_cop
trafficserver /usr/bin/traffic_crashlog
trafficserver /usr/bin/traffic_ctl
trafficserver /usr/bin/traffic_layout
trafficserver /usr/bin/traffic_logcat
trafficserver /usr/bin/traffic_logstats
trafficserver /usr/bin/traffic_manager
trafficserver /usr/bin/traffic_server
trafficserver /usr/bin/traffic_top
trafficserver /usr/bin/traffic_via
trafficserver /usr/lib/systemd/system/trafficserver.service
trafficserver /usr/lib/tmpfiles.d/trafficserver.conf
trafficserver /usr/lib64/trafficserver
trafficserver /usr/lib64/trafficserver/libatscppapi.so.7
trafficserver /usr/lib64/trafficserver/libatscppapi.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsconfig.so.7
trafficserver /usr/lib64/trafficserver/libtsconfig.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsmgmt.so.7
trafficserver /usr/lib64/trafficserver/libtsmgmt.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsutil.so.7
trafficserver /usr/lib64/trafficserver/libtsutil.so.7.0.0
trafficserver /var/cache/trafficserver
trafficserver /var/log/trafficserver
Post by Leif Hedstrom
Post by 彭勇
openssl 1.0.2 will be ready for RHEL 7.4.
i can't find a solution to upgrade openssl for centos 7.3 now, as
openssl is a base library of the system.
https://bugzilla.redhat.com/show_bug.cgi?id=1276310
Post by Reindl Harald
Post by Masaori Koshiba
Hi Peng,
If I remember correctly, Chrome stopped NPN support last year. From your
log, your ATS is using NPN only.
If you're using OpenSSL, the version could be old. OpenSSL has ALPN
support from 1.0.2.
and RHEL7 has only 1.0.1
openssl-1.0.1e-60.el7_3.1.x86_64
that' why we are running Fedora for nearly everything for a deacde now
because all that LTS stuff becomes way too fast annyoing - it's fine for
storage devices and routers / firewalls and for hosting legacy crap but
that's it
Post by Masaori Koshiba
Post by 彭勇
* NPN, negotiated HTTP2 (h2)
ALPN, server did not agree to a protocol
https://www.ssllabs.com/ssltest/
Post by Masaori Koshiba
i install 6.2.1 stable version on centos 7.
$ rpm -qa|grep traffic
trafficserver-6.2.1-2.el7.centos.x86_64
yes, curl can works fine with http2. and chrome choose http 1.1.
On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
Post by 彭勇
Post by 彭勇
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl
don't need
Post by 彭勇
any param and choses HTTP2 automatically and so every browser can
do - maybe
Post by 彭勇
your ATS is just outdated?
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658
彭勇
2017-03-12 15:47:38 UTC
Permalink
redhat bugzilla #1276310 said Fixed In Version: openssl-1.0.2k-1.el7.
and i found a 1.0.2k package:

https://copr-be.cloud.fedoraproject.org/results/bitshaka/openssl-lts/epel-7-x86_64/00504994-openssl/
https://copr.fedorainfracloud.org/coprs/bitshaka/

Rebuild openssl-1.0.2 packages from https://koji.fedoraproject.org/
for CentOS/RHEL 7.x Motivation The OpenSSL version shipped is rather
outdated, and, more importantly will not be supported any more. Also
available is the 1.0.2 series. This is also our Long Term Support
(LTS) version (support will be provided until 31st December 2019). The
1.0.1 version is currently only receiving security bug fixes and all
support will be discontinued for this version on 31st December 2016.
OpenSSL Download Page Note The built packages should be binary
compatible with all packages that depend on OpenSSL currently shipped
with CentOS/RHEL 7.x (judging from the head of the specfile 1.0.0
soversion = 10) Features OpenSSL 1.0.2 includes a number of
improvements, most importantly, support for ALPN (e.i. enabling
HTTP2). For a full list have a look at
https://www.openssl.org/news/openssl-1.0.2-notes.html.


then i upgrade to 1.0.2k.

after i recompile traffic server, it works now.
Post by Leif Hedstrom
You can always build your own OpenSSL, installed in a separate directory
(don't mess with the system OpenSSL). And then tell ATS configure to use
that tree. That's what most of us do on the older distros.
yes, but then you no longer use trafficserver-6.2.1-2.el7.centos.x86_64 as
RPM beause you have to build ATS also at your own
when the machine is a dedicated proxy you no longer have many reasons using
CentOS at all and can at the same time go to a recent ATS version which just
overrides the distro packages (dunno what Fedora currently ships as example)
trafficserver-7.0.0-1.fc24.20170120.rh.x86_64
trafficserver /etc/ld.so.conf.d/trafficserver-x86_64.conf
trafficserver /etc/trafficserver
trafficserver /etc/trafficserver/body_factory
trafficserver /etc/trafficserver/body_factory/default
trafficserver /etc/trafficserver/body_factory/default/.body_factory_info
trafficserver /etc/trafficserver/internal
trafficserver /etc/trafficserver/snapshots
trafficserver /etc/trafficserver/ssl
trafficserver /etc/trafficserver/trafficserver-release
trafficserver /run/trafficserver
trafficserver /usr/bin/traffic_cop
trafficserver /usr/bin/traffic_crashlog
trafficserver /usr/bin/traffic_ctl
trafficserver /usr/bin/traffic_layout
trafficserver /usr/bin/traffic_logcat
trafficserver /usr/bin/traffic_logstats
trafficserver /usr/bin/traffic_manager
trafficserver /usr/bin/traffic_server
trafficserver /usr/bin/traffic_top
trafficserver /usr/bin/traffic_via
trafficserver /usr/lib/systemd/system/trafficserver.service
trafficserver /usr/lib/tmpfiles.d/trafficserver.conf
trafficserver /usr/lib64/trafficserver
trafficserver /usr/lib64/trafficserver/libatscppapi.so.7
trafficserver /usr/lib64/trafficserver/libatscppapi.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsconfig.so.7
trafficserver /usr/lib64/trafficserver/libtsconfig.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsmgmt.so.7
trafficserver /usr/lib64/trafficserver/libtsmgmt.so.7.0.0
trafficserver /usr/lib64/trafficserver/libtsutil.so.7
trafficserver /usr/lib64/trafficserver/libtsutil.so.7.0.0
trafficserver /var/cache/trafficserver
trafficserver /var/log/trafficserver
Post by Leif Hedstrom
Post by 彭勇
openssl 1.0.2 will be ready for RHEL 7.4.
i can't find a solution to upgrade openssl for centos 7.3 now, as
openssl is a base library of the system.
https://bugzilla.redhat.com/show_bug.cgi?id=1276310
Post by Reindl Harald
Post by Masaori Koshiba
Hi Peng,
If I remember correctly, Chrome stopped NPN support last year. From your
log, your ATS is using NPN only.
If you're using OpenSSL, the version could be old. OpenSSL has ALPN
support from 1.0.2.
and RHEL7 has only 1.0.1
openssl-1.0.1e-60.el7_3.1.x86_64
that' why we are running Fedora for nearly everything for a deacde now
because all that LTS stuff becomes way too fast annyoing - it's fine for
storage devices and routers / firewalls and for hosting legacy crap but
that's it
Post by Masaori Koshiba
Post by 彭勇
* NPN, negotiated HTTP2 (h2)
ALPN, server did not agree to a protocol
https://www.ssllabs.com/ssltest/
Post by Masaori Koshiba
i install 6.2.1 stable version on centos 7.
$ rpm -qa|grep traffic
trafficserver-6.2.1-2.el7.centos.x86_64
yes, curl can works fine with http2. and chrome choose http 1.1.
On Sun, Mar 12, 2017 at 6:40 PM, Reindl Harald
Post by 彭勇
Post by 彭勇
i setup a ATS, then enable ssl and http2.
curl shows ATS works fine. and chrome 56 shows it use protocal http
1.1 to connect to ATS. is there any ALPN / NPN negotiating problem
between chrome and ATS?
how can i serve http2 for chrome?
i doubt that you need anything to do, at least with ATS 7.0 curl
don't need
Post by 彭勇
any param and choses HTTP2 automatically and so every browser can
do - maybe
Post by 彭勇
your ATS is just outdated?
HTTP/2.0 200
date:Sun, 12 Mar 2017 10:38:55 GMT
x-dns-prefetch-control:off
x-content-type-options:nosniff
x-response-time:D=5111 us
last-modified:Thu, 03 Sep 2015 09:04:29 GMT
expires:Sun, 12 Mar 2017 12:38:55 GMT
cache-control:public, proxy-revalidate
etag:04ea5ea0c7b43fd2fb3ee18d68b96557
vary:Accept-Encoding,User-Agent
content-type:text/html; charset=ISO-8859-1
age:6
content-length:11658
--
Peng Yong
Continue reading on narkive:
Loading...