[Pkg-openssl-devel] Bug#904156: Bug#904156: openssl: ALPN protocol: http/1.1, instead of h2. This occured on my server after updating.

Mike Rotondo m.j.rotondo at gmail.com
Fri Jul 20 23:56:09 BST 2018 

Does this help?

$ curl -v --http2 https://ServerAddressInQuesion/ > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time
Current
                                 Dload  Upload   Total   Spent    Left
Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--
 0*   Trying 23.94.173.87...
* TCP_NODELAY set
* Connected to onondagalibertarians.org (23.94.173.87) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection:
ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
} [230 bytes data]
* TLSv1.2 (IN), TLS handshake, Server hello (2):
{ [108 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2818 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
{ [1 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use http/1.1
* Server certificate:
*  subject: CN=ServerAddressInQuesion
*  start date: Apr 28 23:40:02 2018 GMT
*  expire date: Jul 27 23:40:02 2018 GMT
*  subjectAltName: host "ServerAddressInQuesion" matched cert's
"ServerAddressInQuesion"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
> GET / HTTP/1.1
> Host: ServerAddressInQuesion
> User-Agent: curl/7.55.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Fri, 20 Jul 2018 22:35:11 GMT
< Server: Apache/2.4.25 (Debian)
< Upgrade: h2,h2c
< Connection: Upgrade
< Set-Cookie: PHPSESSID=qdm1u9qfcj6fet1iv73og2kgf2; path=/
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Link: <https://ServerAddressInQuesion/index.php?rest_route=/>; rel="
https://api.w.org/"
< Link: <https://ServerAddressInQuesion>; rel=shortlink
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
<
{ [6 bytes data]
100 35836    0 35836    0     0  35836      0 --:--:-- --:--:-- --:--:--
84718
* Connection #0 to host ServerAddressInQuesion left intact


On Fri, Jul 20, 2018 at 6:06 PM, Sebastian Andrzej Siewior <
sebastian at breakpoint.cc> wrote:

> On 2018-07-20 17:16:40 [-0400], Mike Rotondo wrote:
> >    I expected an update to roll out that fixed the problem
>
> Thank you for the informative bug report. If I put the pieces correctly
> together then since the point release you have your apache2 server not
> serving ALPN/h2 but only "normal" http/1.1 as you put it. Am I correct?
>
> If so, then this bug should be moved to openssl1.0 because apache2 in
> Stretch is using libssl1.0.2 and not libssl1.1. Other than that: Could
> you please check if downgrading either apache2 or libssl1.0.2 helps?
> The part that puzzles me most is that you received an update to
> libssl1.0.2 (and libssl1.1) via the point release and not via security
> which would be a good idea. Like *really* good idea.
>
> Now, if you downgrade I bet that downgrading apache2 helps. In that
> case we could move that report over to apache or close it right away. I
> speculate on apache because of this piece in its changelog [0]:
>
> |Unfortunately, this also removes support for http2 when running on
> |mpm_prefork.
>
> [0] https://tracker.debian.org/news/969425/accepted-apache2-
> 2425-3deb9u5-source-amd64-all-into-proposed-updates-stable-
> new-proposed-updates/
>
> Sebastian
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-openssl-devel/attachments/20180720/b05f09d2/attachment.html>

More information about the Pkg-openssl-devel mailing list