在 apache 2 中启用 HTTP/2
Enable HTTP/2 in apache 2
我的 Apache 配置有问题。服务器不响应 HTTP/2:
$ curl -v --http2 https://localhost/
Trying ::1...
TCP_NODELAY set
Connected to localhost (::1) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/cert.pem
CApath: none
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS change cipher, Client hello (1):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server accepted to use http/1.1
Server certificate:
subject: C=CL; ST=Valparaiso; L=Hanga Roa; O=Hereveri Blog; CN=localhost; emailAddress=contacto@hereveri.cl
start date: Oct 10 17:51:15 2017 GMT
expire date: Oct 20 17:51:15 2018 GMT
subjectAltName: host "localhost" matched cert's "localhost"
issuer: C=CL; ST=Valparaiso; O=Hereveri Blog; CN=Hereveri Blog Intermediate; emailAddress=contacto@hereveri.cl
SSL certificate verify ok.
GET / HTTP/1.1
Host: localhost
User-Agent: curl/7.54.0
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 11 Oct 2017 04:44:05 GMT
Server: Apache/2.4.27 (Unix) LibreSSL/2.2.7 PHP/7.1.7
Strict-Transport-Security: max-age=15768000
Upgrade: h2
Connection: Upgrade
Last-Modified: Wed, 11 Oct 2017 03:52:53 GMT
ETag: "72-55b3d5bb0cf40"
Accept-Ranges: bytes
Content-Length: 114
Vary: Accept-Encoding
Content-Type: text/html
我使用 openssl 的 LibreSSL 2.2.7 版本生成我的证书,并为服务器生成 Apache/2.4.27,在 MacOS High Sierra 中提供。
虚拟主机配置:
Listen 443 https
<VirtualHost *:443>
ProtocolsHonorOrder On
Protocols h2 http/1.1
H2Direct on
ServerAdmin contacto@hereveri.cl
DocumentRoot "/Users/nelson/localhost"
ServerName localhost
ErrorLog "/Users/nelson/logs/localhost-secure-error_log"
CustomLog "/Users/nelson/logs/localhost-secure-access_log" common
SSLEngine on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
SSLCertificateChainFile /etc/apache2/ssl/ca-chain.crt
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
我检查 SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 与 TLS 1.2 Cipher Suite Black List。
然后用那个 Cipher 测试 openssl。
$ openssl s_client -connect localhost:443 -alpn 'h2'
CONNECTED(00000005)
depth=2 C = CL, ST = Valparaiso, L = Hanga Roa, O = Hereveri Blog, CN = Hereveri Blog, emailAddress = contacto@hereveri.cl
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=localhost/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
1 s:/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
2 s:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/jCCA+agAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAkNM
MRMwEQYDVQQIDApWYWxwYXJhaXNvMRYwFAYDVQQKDA1IZXJldmVyaSBCbG9nMSMw
IQYDVQQDDBpIZXJldmVyaSBCbG9nIEludGVybWVkaWF0ZTEjMCEGCSqGSIb3DQEJ
ARYUY29udGFjdG9AaGVyZXZlcmkuY2wwHhcNMTcxMDEwMTc1MTE1WhcNMTgxMDIw
MTc1MTE1WjCBhzELMAkGA1UEBhMCQ0wxEzARBgNVBAgMClZhbHBhcmFpc28xEjAQ
BgNVBAcMCUhhbmdhIFJvYTEWMBQGA1UECgwNSGVyZXZlcmkgQmxvZzESMBAGA1UE
AwwJbG9jYWxob3N0MSMwIQYJKoZIhvcNAQkBFhRjb250YWN0b0BoZXJldmVyaS5j
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMspMwmK2uXAagMr8Ehk
MlbT65xsYGDMtMeKS7tHeREqyxDT4eFYhPxpaysZiYi8qVTV+UOXUIYMOVPSTOt5
Pi3xZHEDI5ksQeN4SHEUORsC/TrdOzGnuok9xqRinetbw3lVCiIHT8J1YPuK1eqs
IJkBfxxGsozeHtIqUUP9uCqJtee6RCLzCX5x9TyGHdzJ119IWBNvoCnjszfy5xce
RA7tWiHLVADjYn2qP4Z+ygu3LO6YUhREiXSz0d2XeN2QkRVpjgtaQaRbMXjYVB3I
Vl9qiCVv3s54N4hE3aTetlztwtfl6KiPowzGDXAimIkuMBWvfAJpxqMpvr/dCKkC
SOsCAwEAAaOCAXMwggFvMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMG
CWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFFXkNlktvmRpS86rRcXBeAKTaTtqMIG5BgNVHSMEgbEwga6A
FGI2DKBocboYIepbP4Scj1qXI4TYoYGRpIGOMIGLMQswCQYDVQQGEwJDTDETMBEG
A1UECAwKVmFscGFyYWlzbzESMBAGA1UEBwwJSGFuZ2EgUm9hMRYwFAYDVQQKDA1I
ZXJldmVyaSBCbG9nMRYwFAYDVQQDDA1IZXJldmVyaSBCbG9nMSMwIQYJKoZIhvcN
AQkBFhRjb250YWN0b0BoZXJldmVyaS5jbIICEAAwDgYDVR0PAQH/BAQDAgWgMBMG
A1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
BgkqhkiG9w0BAQsFAAOCAgEARea21L8UrkpR93tksQEeo8NN6pTIbd/SFWL1BBfy
t3IwmM6/mhFjMNGQ7hr7uG5N8c/JsJ9TGWq0pYZIgGe8WQNLC3PZaru8Nby4lu7i
rYPOQgtAkZ1JiAHjGATTvnunkMT6xfIPj0DEZJ3p8J9ILt6oq0ZUVuj2fljJiZ/P
P0s/LLi6qnTHP+DTJaqsqGVLotCvbGclf5AJD+ru0mKrAH7HCRm2zTI/R5dKiQaQ
zEV6zQDvSsVsCWOAupKVGvzeqJkNdMYsH04vebrSX2jWlJyr/qP4a4CCjVqyVe8H
vr9C7811Bqa713ewspEEorc8KnAbdE6X3/x+OoxSX9r4tnY2Yz81U05ifCrYJFGh
TrBZDZtthm0o+dUsL+mgey02qZ1gEvry2+mfRllzE2n7/yP8fP6or3cI3T9zsXhS
KN8k9XapnuDKsflHrwg9NhjCvKkLjErCMot6m4EB+P0od4xllRi5hztKUrwMxuN9
Sjwgvemxjf4w9FYEmOFTLQUD77BPi7Kgas+UtV76a0J2x/vrpS+lTy5ds4OqsmMs
WcEk/aH3R4dtQbuPA4m+GVw1poiZMMLCu4rsbu8Yz+nvABeKgZcym4SxgKsZYepn
EXunpihZ9+2ocn6y550LMasJsgvtNgoqh5xfeRknqEfHF0SMQIheBRAyrluIg2TX
uaI=
-----END CERTIFICATE-----
subject=/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=localhost/emailAddress=contacto@hereveri.cl
issuer=/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
---
No client certificate CA names sent
---
SSL handshake has read 5390 bytes and written 533 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
ALPN protocol: http/1.1
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 13230CAD937A6B82AE34F5E6730E6BFF154ECA2E391BB36D8F589BCDD36C1749
Session-ID-ctx:
Master-Key: A801C895B29E56182A97A6ADC4C6A798CA4B94F2BAA1A25D71D4669C4B4D58175D6C5A840C74 AFDCFE15237CD62CE7CF
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 05 b3 94 9b 42 7d 90 6c-47 32 d7 8a fb 56 f2 41 ....B}.lG2...V.A
0010 - e0 b5 4a b4 5b 7c 21 cc-ec b9 11 a1 04 27 d7 2d ..J.[|!......'.-
0020 - 3d 23 0b f8 4a 75 dc 5c-bb b0 c3 0c c4 3b 2e 4b =#..Ju.\.....;.K
0030 - 02 4f 89 1a 6d bf ec ca-e2 d1 a3 7c 47 36 70 54 .O..m......|G6pT
0040 - 2e ca eb d7 c9 26 76 c6-1f a9 d0 07 33 ae 99 ca .....&v.....3...
0050 - 27 f5 cc e3 56 0a 1c 27-66 5c a4 0f a8 f4 8a 07 '...V..'f\......
0060 - c0 3b 68 28 37 cf a0 48-38 41 7c 47 f2 fb af 13 .;h(7..H8A|G....
0070 - 40 d8 9e 8e 1f dc 6d 90-9f c3 af d7 7d 40 00 ce @.....m.....}@..
0080 - cb 79 a4 66 cf 92 37 af-3b 75 aa 16 5f 63 4f 9c .y.f..7.;u.._cO.
0090 - 74 d2 a9 36 5f 04 4f a6-a7 b8 3c d3 ae 97 88 16 t..6_.O...<.....
00a0 - 2d 9e aa e7 60 24 52 43-4b ce 9a 2d 0c 19 49 8f -...`$RCK..-..I.
00b0 - 2f 26 31 da cf 08 a4 d7-f7 23 4f 83 94 82 67 d6 /&1......#O...g.
Start Time: 1507777559
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
一些core:debug行:
protocol.c(2220): [client ::1:52046] AH03155: select protocol from h2,http/1.1, choices=h2,http/1.1 for server localhost
protocol.c(2264): [client ::1:52046] AH03156: select protocol, proposals=http/1.1 preferences=h2,http/1.1 configured=h2,http/1.1
protocol.c(2284): [client ::1:52046] AH03157: selected protocol=http/1.1
有什么建议吗?提前致谢!
简答:
我认为您需要 LibreSSL 2.5 或更高版本。
更长的答案:
查看您的调试行:
protocol.c(2220): [client ::1:52046] AH03155: select protocol from h2,http/1.1, choices=h2,http/1.1 for server localhost
这意味着您的服务器提供 h2,http/1.1(其中第一个)并且您的客户端可以从它知道的协议中进行选择(第二个 h2,http/1.1)。所以在这一点上一切看起来都很好。
protocol.c(2264): [client ::1:52046] AH03156: select protocol, proposals=http/1.1 preferences=h2,http/1.1 configured=h2,http/1.1
这很有趣。在此调试行中,客户端的协议列表中的所有未知协议都被剥离 - 直至服务器支持的协议。
因此客户列表从 h2,http/1.1 下降到 http/1.1。但是服务器确实支持 h2 - 那么为什么要去掉它呢?我猜这是因为 TLS 库 (LibreSSL) 对 H2 一无所知。
我通过向客户端和服务器添加随机协议(H3、H4)来测试它,发现它被剥离了,即使两者都支持它。
现在 how to h2 in apache page it does say it needs ALPN so works with "LibreSSL 2.1.3 and onward". And the LibreSSL changelog 确实说:
2.1.3 - Security update and OS support improvements
- Added Application-Layer Protocol Negotiation (ALPN) support.
然而它也说:
2.5.0 - New APIs, bug fixes and improvements
- libtls now supports ALPN and SNI
然后我发现 this issue 这表明 ALPN 已启动(可能在 2.1.3 中?)但直到 2016 年 8 月之后才完成 - 就在 2.5.0 发布之前。
我没有用 LibreSSL 的两个版本构建 Apache 的最后阶段来确认,但必须留点东西给你做;-)
Apache 中缺少 HTTP/2 支持的另一个原因是,自版本 2.4.27 起,Apache MPM(多处理模块)prefork 不再支持 HTTP/2 - 所以您需要使用其他 MPM 模式,例如 worker 或 event。对于每次尝试的 H2 连接,您都会在错误日志中看到此消息:
AH10034: The mpm module (prefork.c) is not supported by mod_http2. The
mpm determines how things are processed in your server. HTTP/2 has
more demands in this regard and the currently selected mpm will just
not do. This is an advisory warning. Your server will continue to
work, but the HTTP/2 protocol will be inactive.
Apache 基金会有一个 HTTP/2 guide,其中还提到即使在 Apache 停止支持带有预分叉模式的 H2 之前,当人们尝试使用带有预分叉模式的 H2 时也会受到严格的限制。另请注意,如果您使用的是 lib_php,那么您将不得不采用另一种方法(例如使用 fastCGI),因为它仅受 prefork 模式支持。
我的 Apache 配置有问题。服务器不响应 HTTP/2:
$ curl -v --http2 https://localhost/
Trying ::1...
TCP_NODELAY set
Connected to localhost (::1) port 443 (#0)
ALPN, offering h2
ALPN, offering http/1.1
Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
successfully set certificate verify locations:
CAfile: /etc/ssl/cert.pem
CApath: none
TLSv1.2 (OUT), TLS handshake, Client hello (1):
TLSv1.2 (IN), TLS handshake, Server hello (2):
TLSv1.2 (IN), TLS handshake, Certificate (11):
TLSv1.2 (IN), TLS handshake, Server key exchange (12):
TLSv1.2 (IN), TLS handshake, Server finished (14):
TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
TLSv1.2 (OUT), TLS change cipher, Client hello (1):
TLSv1.2 (OUT), TLS handshake, Finished (20):
TLSv1.2 (IN), TLS change cipher, Client hello (1):
TLSv1.2 (IN), TLS handshake, Finished (20):
SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
ALPN, server accepted to use http/1.1
Server certificate:
subject: C=CL; ST=Valparaiso; L=Hanga Roa; O=Hereveri Blog; CN=localhost; emailAddress=contacto@hereveri.cl
start date: Oct 10 17:51:15 2017 GMT
expire date: Oct 20 17:51:15 2018 GMT
subjectAltName: host "localhost" matched cert's "localhost"
issuer: C=CL; ST=Valparaiso; O=Hereveri Blog; CN=Hereveri Blog Intermediate; emailAddress=contacto@hereveri.cl
SSL certificate verify ok.
GET / HTTP/1.1
Host: localhost
User-Agent: curl/7.54.0
Accept: */*
HTTP/1.1 200 OK
Date: Wed, 11 Oct 2017 04:44:05 GMT
Server: Apache/2.4.27 (Unix) LibreSSL/2.2.7 PHP/7.1.7
Strict-Transport-Security: max-age=15768000
Upgrade: h2
Connection: Upgrade
Last-Modified: Wed, 11 Oct 2017 03:52:53 GMT
ETag: "72-55b3d5bb0cf40"
Accept-Ranges: bytes
Content-Length: 114
Vary: Accept-Encoding
Content-Type: text/html
我使用 openssl 的 LibreSSL 2.2.7 版本生成我的证书,并为服务器生成 Apache/2.4.27,在 MacOS High Sierra 中提供。
虚拟主机配置:
Listen 443 https
<VirtualHost *:443>
ProtocolsHonorOrder On
Protocols h2 http/1.1
H2Direct on
ServerAdmin contacto@hereveri.cl
DocumentRoot "/Users/nelson/localhost"
ServerName localhost
ErrorLog "/Users/nelson/logs/localhost-secure-error_log"
CustomLog "/Users/nelson/logs/localhost-secure-access_log" common
SSLEngine on
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/apache2/ssl/localhost.crt
SSLCertificateKeyFile /etc/apache2/ssl/localhost.key
SSLCertificateChainFile /etc/apache2/ssl/ca-chain.crt
Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>
我检查 SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 与 TLS 1.2 Cipher Suite Black List。
然后用那个 Cipher 测试 openssl。
$ openssl s_client -connect localhost:443 -alpn 'h2'
CONNECTED(00000005)
depth=2 C = CL, ST = Valparaiso, L = Hanga Roa, O = Hereveri Blog, CN = Hereveri Blog, emailAddress = contacto@hereveri.cl
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
0 s:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=localhost/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
1 s:/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
2 s:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
i:/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=Hereveri Blog/emailAddress=contacto@hereveri.cl
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIF/jCCA+agAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwgYQxCzAJBgNVBAYTAkNM
MRMwEQYDVQQIDApWYWxwYXJhaXNvMRYwFAYDVQQKDA1IZXJldmVyaSBCbG9nMSMw
IQYDVQQDDBpIZXJldmVyaSBCbG9nIEludGVybWVkaWF0ZTEjMCEGCSqGSIb3DQEJ
ARYUY29udGFjdG9AaGVyZXZlcmkuY2wwHhcNMTcxMDEwMTc1MTE1WhcNMTgxMDIw
MTc1MTE1WjCBhzELMAkGA1UEBhMCQ0wxEzARBgNVBAgMClZhbHBhcmFpc28xEjAQ
BgNVBAcMCUhhbmdhIFJvYTEWMBQGA1UECgwNSGVyZXZlcmkgQmxvZzESMBAGA1UE
AwwJbG9jYWxob3N0MSMwIQYJKoZIhvcNAQkBFhRjb250YWN0b0BoZXJldmVyaS5j
bDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMspMwmK2uXAagMr8Ehk
MlbT65xsYGDMtMeKS7tHeREqyxDT4eFYhPxpaysZiYi8qVTV+UOXUIYMOVPSTOt5
Pi3xZHEDI5ksQeN4SHEUORsC/TrdOzGnuok9xqRinetbw3lVCiIHT8J1YPuK1eqs
IJkBfxxGsozeHtIqUUP9uCqJtee6RCLzCX5x9TyGHdzJ119IWBNvoCnjszfy5xce
RA7tWiHLVADjYn2qP4Z+ygu3LO6YUhREiXSz0d2XeN2QkRVpjgtaQaRbMXjYVB3I
Vl9qiCVv3s54N4hE3aTetlztwtfl6KiPowzGDXAimIkuMBWvfAJpxqMpvr/dCKkC
SOsCAwEAAaOCAXMwggFvMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgZAMDMG
CWCGSAGG+EIBDQQmFiRPcGVuU1NMIEdlbmVyYXRlZCBTZXJ2ZXIgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFFXkNlktvmRpS86rRcXBeAKTaTtqMIG5BgNVHSMEgbEwga6A
FGI2DKBocboYIepbP4Scj1qXI4TYoYGRpIGOMIGLMQswCQYDVQQGEwJDTDETMBEG
A1UECAwKVmFscGFyYWlzbzESMBAGA1UEBwwJSGFuZ2EgUm9hMRYwFAYDVQQKDA1I
ZXJldmVyaSBCbG9nMRYwFAYDVQQDDA1IZXJldmVyaSBCbG9nMSMwIQYJKoZIhvcN
AQkBFhRjb250YWN0b0BoZXJldmVyaS5jbIICEAAwDgYDVR0PAQH/BAQDAgWgMBMG
A1UdJQQMMAoGCCsGAQUFBwMBMBoGA1UdEQQTMBGCCWxvY2FsaG9zdIcEfwAAATAN
BgkqhkiG9w0BAQsFAAOCAgEARea21L8UrkpR93tksQEeo8NN6pTIbd/SFWL1BBfy
t3IwmM6/mhFjMNGQ7hr7uG5N8c/JsJ9TGWq0pYZIgGe8WQNLC3PZaru8Nby4lu7i
rYPOQgtAkZ1JiAHjGATTvnunkMT6xfIPj0DEZJ3p8J9ILt6oq0ZUVuj2fljJiZ/P
P0s/LLi6qnTHP+DTJaqsqGVLotCvbGclf5AJD+ru0mKrAH7HCRm2zTI/R5dKiQaQ
zEV6zQDvSsVsCWOAupKVGvzeqJkNdMYsH04vebrSX2jWlJyr/qP4a4CCjVqyVe8H
vr9C7811Bqa713ewspEEorc8KnAbdE6X3/x+OoxSX9r4tnY2Yz81U05ifCrYJFGh
TrBZDZtthm0o+dUsL+mgey02qZ1gEvry2+mfRllzE2n7/yP8fP6or3cI3T9zsXhS
KN8k9XapnuDKsflHrwg9NhjCvKkLjErCMot6m4EB+P0od4xllRi5hztKUrwMxuN9
Sjwgvemxjf4w9FYEmOFTLQUD77BPi7Kgas+UtV76a0J2x/vrpS+lTy5ds4OqsmMs
WcEk/aH3R4dtQbuPA4m+GVw1poiZMMLCu4rsbu8Yz+nvABeKgZcym4SxgKsZYepn
EXunpihZ9+2ocn6y550LMasJsgvtNgoqh5xfeRknqEfHF0SMQIheBRAyrluIg2TX
uaI=
-----END CERTIFICATE-----
subject=/C=CL/ST=Valparaiso/L=Hanga Roa/O=Hereveri Blog/CN=localhost/emailAddress=contacto@hereveri.cl
issuer=/C=CL/ST=Valparaiso/O=Hereveri Blog/CN=Hereveri Blog Intermediate/emailAddress=contacto@hereveri.cl
---
No client certificate CA names sent
---
SSL handshake has read 5390 bytes and written 533 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
ALPN protocol: http/1.1
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 13230CAD937A6B82AE34F5E6730E6BFF154ECA2E391BB36D8F589BCDD36C1749
Session-ID-ctx:
Master-Key: A801C895B29E56182A97A6ADC4C6A798CA4B94F2BAA1A25D71D4669C4B4D58175D6C5A840C74 AFDCFE15237CD62CE7CF
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 05 b3 94 9b 42 7d 90 6c-47 32 d7 8a fb 56 f2 41 ....B}.lG2...V.A
0010 - e0 b5 4a b4 5b 7c 21 cc-ec b9 11 a1 04 27 d7 2d ..J.[|!......'.-
0020 - 3d 23 0b f8 4a 75 dc 5c-bb b0 c3 0c c4 3b 2e 4b =#..Ju.\.....;.K
0030 - 02 4f 89 1a 6d bf ec ca-e2 d1 a3 7c 47 36 70 54 .O..m......|G6pT
0040 - 2e ca eb d7 c9 26 76 c6-1f a9 d0 07 33 ae 99 ca .....&v.....3...
0050 - 27 f5 cc e3 56 0a 1c 27-66 5c a4 0f a8 f4 8a 07 '...V..'f\......
0060 - c0 3b 68 28 37 cf a0 48-38 41 7c 47 f2 fb af 13 .;h(7..H8A|G....
0070 - 40 d8 9e 8e 1f dc 6d 90-9f c3 af d7 7d 40 00 ce @.....m.....}@..
0080 - cb 79 a4 66 cf 92 37 af-3b 75 aa 16 5f 63 4f 9c .y.f..7.;u.._cO.
0090 - 74 d2 a9 36 5f 04 4f a6-a7 b8 3c d3 ae 97 88 16 t..6_.O...<.....
00a0 - 2d 9e aa e7 60 24 52 43-4b ce 9a 2d 0c 19 49 8f -...`$RCK..-..I.
00b0 - 2f 26 31 da cf 08 a4 d7-f7 23 4f 83 94 82 67 d6 /&1......#O...g.
Start Time: 1507777559
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
一些core:debug行:
protocol.c(2220): [client ::1:52046] AH03155: select protocol from h2,http/1.1, choices=h2,http/1.1 for server localhost
protocol.c(2264): [client ::1:52046] AH03156: select protocol, proposals=http/1.1 preferences=h2,http/1.1 configured=h2,http/1.1
protocol.c(2284): [client ::1:52046] AH03157: selected protocol=http/1.1
有什么建议吗?提前致谢!
简答: 我认为您需要 LibreSSL 2.5 或更高版本。
更长的答案:
查看您的调试行:
protocol.c(2220): [client ::1:52046] AH03155: select protocol from h2,http/1.1, choices=h2,http/1.1 for server localhost
这意味着您的服务器提供 h2,http/1.1(其中第一个)并且您的客户端可以从它知道的协议中进行选择(第二个 h2,http/1.1)。所以在这一点上一切看起来都很好。
protocol.c(2264): [client ::1:52046] AH03156: select protocol, proposals=http/1.1 preferences=h2,http/1.1 configured=h2,http/1.1
这很有趣。在此调试行中,客户端的协议列表中的所有未知协议都被剥离 - 直至服务器支持的协议。
因此客户列表从 h2,http/1.1 下降到 http/1.1。但是服务器确实支持 h2 - 那么为什么要去掉它呢?我猜这是因为 TLS 库 (LibreSSL) 对 H2 一无所知。
我通过向客户端和服务器添加随机协议(H3、H4)来测试它,发现它被剥离了,即使两者都支持它。
现在 how to h2 in apache page it does say it needs ALPN so works with "LibreSSL 2.1.3 and onward". And the LibreSSL changelog 确实说:
2.1.3 - Security update and OS support improvements
- Added Application-Layer Protocol Negotiation (ALPN) support.
然而它也说:
2.5.0 - New APIs, bug fixes and improvements
- libtls now supports ALPN and SNI
然后我发现 this issue 这表明 ALPN 已启动(可能在 2.1.3 中?)但直到 2016 年 8 月之后才完成 - 就在 2.5.0 发布之前。
我没有用 LibreSSL 的两个版本构建 Apache 的最后阶段来确认,但必须留点东西给你做;-)
Apache 中缺少 HTTP/2 支持的另一个原因是,自版本 2.4.27 起,Apache MPM(多处理模块)prefork 不再支持 HTTP/2 - 所以您需要使用其他 MPM 模式,例如 worker 或 event。对于每次尝试的 H2 连接,您都会在错误日志中看到此消息:
AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.
Apache 基金会有一个 HTTP/2 guide,其中还提到即使在 Apache 停止支持带有预分叉模式的 H2 之前,当人们尝试使用带有预分叉模式的 H2 时也会受到严格的限制。另请注意,如果您使用的是 lib_php,那么您将不得不采用另一种方法(例如使用 fastCGI),因为它仅受 prefork 模式支持。