-1

I'm checking ALPN support on NGINX with latest libressl 2.5.3. I think I have all correctly setup, but when I try to test from:

https://tools.keycdn.com/http2-test

Tell me : Yeah! DOMAIN supports HTTP/2.0

"ALPN is not supported"

Instead when I try to test locally with opnessl we can see alpn is correct with version h2

#openssl s_client -alpn h2 -connect domain:port | grep ALPN
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = fbrqx.com
verify return:1
ALPN protocol: h2

What I'm doing wrong ?

Are correct the information provided by keycdn ?

Thanks.

Ricardo / Brqx.

Ricardo Cabello Torres - Brqx
  • 61
  • 1
  • 9
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Apr 26 '17 at 12:37
  • Instead to tell is not useful, why you don't see is a question with a very useful solution. What is not the correct place of course, but to people is complex to know correct place. What have more value is than is a good solution to will help a lot to other users. – Ricardo Cabello Torres - Brqx Apr 26 '17 at 16:29
  • The question may be useful to others, but its off-topic for this site. Place it on a site where it is on-topic. You were given two sites where its likely on-topic. You might also be interested in the [Help Center](https://stackoverflow.com/help), where these things are discussed in detail. – jww Apr 26 '17 at 18:40

1 Answers1

-1

Today keycdn works and tell us ALPN is supported.

Here we can see libressl information ( so with 2.5.3 version [April 2017] you can test openssl ): 

openssl version -a
LibreSSL 2.5.3
built on: date not available
platform: information not available
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: information not available
OPENSSLDIR: "/PATH/libressl/libressl-2.5.3/.openssl/etc/ssl"

How to test server :

1.From server ( with openssl client ) 

openssl s_client -alpn h2 -connect DOMAIN:PORT -status

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
ALPN protocol: h2
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 1FB23766E93F4983F3218F3E1C0058947DD60BEEB414CA50BDDF9009299A273B
    Session-ID-ctx: 
    Master-Key: BBCC316C78C85C90066F660A5C1018F5F71CEADFF13AC406758BA06B0D07A5FFCF21395657CFF1B42760C371EE70281D
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 06 48 61 b7 a7 63 23 ad-6a cf f9 47 39 49 c0 1a   .Ha..c#.j..G9I..
    0010 - b3 04 db ea 02 2e 46 a9-9a 6b 02 de b5 e9 bb c4   ......F..k......
    0020 - 68 71 ba b2 62 27 08 76-f0 cb cb e6 e5 7d 4a 50   hq..b'.v.....}JP
    0030 - f8 4d 40 24 2a 35 2a 7e-03 5b bc 27 73 7d 1a 14   .M@$*5*~.[.'s}..
    0040 - f3 86 9d d9 33 42 49 c7-93 28 a0 f9 e3 4a cb 93   ....3BI..(...J..
    0050 - 4d e7 43 bf 8d 8b 9d 3b-06 47 04 77 ca ca 0b 56   M.C....;.G.w...V
    0060 - fc 6c ff 0d ac 69 7c b3-bb 6f fb 35 d5 75 7d aa   .l...i|..o.5.u}.
    0070 - d3 34 e1 04 f9 85 06 50-a2 3d 12 8d 69 39 53 32   .4.....P.=..i9S2
    0080 - c7 c4 f3 84 93 fb 87 8c-48 a2 7b 8f 35 5a c0 4f   ........H.{.5Z.O
    0090 - 3c 58 39 3d 5d cf b1 10-b4 fa 19 9d 43 f2 09 c7   <X9=].......C...

    Start Time: 1493112423
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
  1. From client - Browser Google Chrome ( will tell us current connections what listen http2)

chrome://net-internals/#http2

This is the configuration on nginx : 

server {
    index index.html index.htm index.php;

    # Direct http2 
    listen      IP:PORT ssl http2;

    # Haproxy redirection
    listen      IP:PORT  http2 proxy_protocol;
...

And this one is the configuration on haproxy ( My idea is to use SSL layer between HA and Nginx so could be in different servers around the world).

frontend ABC
    mode tcp
#   Works with http11
#    bind 0.0.0.0:PORT ssl crt /etc/haproxy/certs/DOMAIN.pem alpn http/1.1

#   Works with http2 and http11
    bind 0.0.0.0:PORT ssl crt /etc/haproxy/certs/DOMAIN.pem alpn h2,http/1.1 ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA


    reqadd X-Forwarded-Proto:\ https

   use_backend proxy_nginx if { ssl_fc_alpn -i h2 }

   default_backend nginx

backend nginx
   mode tcp
   server server_nginx IP:PORT check ssl verify none

backend proxy_nginx

   mode tcp
   server proxy_nginx IP:PORT check send-proxy
...

Now everybody could have working Haproxy, Nginx with libressl 2.5.3 using http2 and alpn.

Interesting URLs to check :

https://gist.github.com/thisismitch/7c91e9b2b63f837a0c4b https://www.mare-system.de/blog/page/1405201517/ https://jve.linuxwall.info/blog/index.php?post/2015/10/04/SHA1/SHA256-certificate-switching-with-HAProxy https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

Best regards.

Ricardo / Brqx.

Ricardo Cabello Torres - Brqx
  • 61
  • 1
  • 9