Uploaded image for project: 'Undertow'
  1. Undertow
  2. UNDERTOW-2434

AlpnOpenListener requires TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • None
    • 2.3.18.Final
    • Core
    • None

      AlpnOpenListener requires TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. So http/2 is not offered if this is removed from the enabled-cipher-suites.

      For example, configure a https-listener like below:

      <https-listener name="https" socket-binding="https" verify-client="REQUESTED" security-realm="ApplicationRealm" enable-http2="true" enabled-cipher-suites="TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"/>
      

      And then note client requests are only HTTP/1.1 and not HTTP/2. That's consistently reproduced and clear to see there is then no alpn info in the server hello with ssl debug:

      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) javax.net.ssl|FINE|6E|default I/O-10|2024-07-23 13:09:32.198 EDT|ServerHello.java:365|Produced ServerHello handshake message (
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) "ServerHello": {
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "server version"      : "TLSv1.2",
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "random"              : "19 78 CD 87 AE 39 8B 17 AB 93 5D FA 20 E4 06 47 BA A9 9D 29 17 5D 7F DC CB F5 09 F8 4A 73 E4 72",
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "session id"          : "35 B6 6C 91 45 67 55 CF 63 4A 06 B2 3E 2C 7C 02 CF 4E 81 BD E1 0A 11 DF D4 E2 9E 70 FD 71 15 CB",
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "cipher suite"        : "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030)",
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "compression methods" : "00",
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   "extensions"          : [
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)     "extended_master_secret (23)": {
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)       <empty>
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)     },
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)     "renegotiation_info (65,281)": {
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)       "renegotiated connection": [<no renegotiated connection>]
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)     }
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10)   ]
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) }
      2024-07-23 13:09:32,198 ERROR [stderr] (default I/O-10) )
      

            flaviarnn Flavia Rainone
            rhn-support-aogburn Aaron Ogburn
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: