AlpnOpenListener requires TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. So http/2 is not offered if this is removed from the enabled-cipher-suites.
For example, configure a https-listener like below:
<https-listener name="https" socket-binding="https" verify-client="REQUESTED" security-realm="ApplicationRealm" enable-http2="true" enabled-cipher-suites="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"/>
And then note client requests are only HTTP/1.1 and not HTTP/2. That's consistently reproduced and clear to see there is then no alpn info in the server hello with ssl debug:
2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) javax.net.ssl|FINE|6E|default I/O-10|2024-07-23 13:09:32.198 EDT|ServerHello.java:365|Produced ServerHello handshake message ( 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "ServerHello": { 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "server version" : "TLSv1.2", 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "random" : "19 78 CD 87 AE 39 8B 17 AB 93 5D FA 20 E4 06 47 BA A9 9D 29 17 5D 7F DC CB F5 09 F8 4A 73 E4 72", 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "session id" : "35 B6 6C 91 45 67 55 CF 63 4A 06 B2 3E 2C 7C 02 CF 4E 81 BD E1 0A 11 DF D4 E2 9E 70 FD 71 15 CB", 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "cipher suite" : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)", 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "compression methods" : "00", 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "extensions" : [ 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "extended_master_secret (23)": { 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) <empty> 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) }, 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "renegotiation_info (65,281)": { 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "renegotiated connection": [<no renegotiated connection>] 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) } 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) ] 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) } 2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) )
- clones
-
UNDERTOW-2434 AlpnOpenListener requires TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- Open
- is caused by
-
UNDERTOW-896 HTTP/2 should not be offered as an option if TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 is not present
- Resolved