OK. Thank you. But what about the HTTP/1.1 and HTTP/2 problem? As I mentioned before, I neogotiated with the server for H2 in the early ALPN. However the server only accepts HTTP/1.1 and why is that? My cURL has explicitly specified --http2-prior-knowledge but it still does not work. It still connects via HTTP/1.1.
Thank you for all your answers!Regards, David Hu [PGP Public Key attached, key ID: 0x340A848D ; fingerprint: 340a 848d 4333 6873 d48f 5dad 8847 c44d 75c3 da38] ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, January 21st, 2021 at 10:08 PM, Thomas Ward <tew...@thomas-ward.net> wrote: > To clarify, I meant I don't run nginx.org's nginx server that they have. ;) > > The remaining IP tests by SSLLabs shows the same behavior - > https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&latest - so it's > just a case of these servers being configured to only use TLS 1.2. POSSIBLY > they're using an older set of OpenSSL or similar libraries that don't have > TLS 1.3 yet, but it's also just possible it's disabled - TLS 1.3 isn't > exactly the most 'accepted' protocol yet by certain policies and standards, > so that's a consideration too. > > Thomas > > On 1/22/21 1:04 AM, Thomas Ward wrote: > > > So, I don't run the NGINX webserver, but I am pretty sure this is on the > > remote server to serve the protocol right. SSLLabs test shows that TLS 1.3 > > is just not offered. > > > > https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&s=3.125.197.172&latest > > > > There's three other IPs (one IPv4 and two IPv6) that will very likely > > reflect the same tests as well. > > > > So to answer your original question: > > > > > What have I done wrong or if it is your problem? > > > > You didn't do anything wrong. TLS 1.2 is the only protocol that's offered > > for SSL/TLS connections to the nginx.org site. > > > > Thomas > > > > On 1/21/21 11:50 PM, David Hu wrote: > > > > > So I have to downgrade to TLS v1.2. The full command input and the > > > connection process can be shown as follows: > > > ./curl -vvvvv --http2-prior-knowledge --tlsv1.2 https://nginx.org > > > * Trying 52.58.199.22:443... > > > * Connected to nginx.org (52.58.199.22) port 443 (#0) > > > * ALPN, offering h2 > > > * ALPN, offering http/1.1 > > > * successfully set certificate verify locations: > > > * CAfile: D:\curl-7.74.0_2-win64-mingw\bin\curl-ca-bundle.crt > > > * CApath: none > > > * TLSv1.3 (OUT), TLS handshake, Client hello (1): > > > * TLSv1.3 (IN), TLS handshake, Server hello (2): > > > * TLSv1.2 (IN), TLS handshake, Certificate (11): > > > * TLSv1.2 (IN), TLS handshake, Server key exchange (12): > > > * TLSv1.2 (IN), TLS handshake, Server finished (14): > > > * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): > > > * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): > > > * TLSv1.2 (OUT), TLS handshake, Finished (20): > > > * TLSv1.2 (IN), TLS handshake, Finished (20): > > > * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384 > > > * ALPN, server accepted to use http/1.1 > > > * Server certificate: > > > * subject: CN=nginx.org > > > * start date: Oct 29 16:45:05 2020 GMT > > > * expire date: Jan 27 16:45:05 2021 GMT > > > * subjectAltName: host "nginx.org" matched cert's "nginx.org" > > > * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 > > > * SSL certificate verify ok. > > > > > > > GET / HTTP/1.1 > > > > Host: nginx.org > > > > User-Agent: curl/7.74.0 > > > > Accept: */* > > > > > > * Mark bundle as not supporting multiuse > > > < HTTP/1.1 200 OK > > > < Server: nginx/1.19.0 > > > < Date: Fri, 22 Jan 2021 04:43:32 GMT > > > < Content-Type: text/html; charset=utf-8 > > > < Content-Length: 12676 > > > < Last-Modified: Tue, 15 Dec 2020 14:58:52 GMT > > > < Connection: keep-alive > > > < Keep-Alive: timeout=15 > > > < ETag: "5fd8cf2c-3184" > > > < Accept-Ranges: bytes > > > < > > > > > > > > > > > > So I neogotiate with your server to force use HTTP/2 (i.e. H2) and ALPN > > > is offering H2 and HTTP/1.1 but at the finally I only get the HTTP > > > version HTTP/1.1 not H2. The same cURL specs and versions and specs as > > > the above message. What have I done wrong or if it is your problem? > > > > > > Thanks again. > > > Regards, > > > > > > _______________________________________________ > > > nginx mailing list > > > nginx@nginx.org > > > http://mailman.nginx.org/mailman/listinfo/nginx > > > > _______________________________________________ > > nginx mailing list > > nginx@nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
