I'm trying to get the following configuration working:
- Tomcat 9.0.17 (also tested with 9.0.16)
- AdoptOpenJDK Java 11.0.2 on Linux (also tested on Windows)
- Http11NioProtocol Connector
- Http2Protocol ProtocolUpgrade
I'm using the following connector config:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/appData/jks-keystore" keystorePass="password">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
With the UpgradeProtocol in place, HTTP/2.0 works fine, but when I
attempt a pure HTTP/1.0 or HTTP/1.1 request the server closes the
connection before responding. This breaks any non-HTTP2.0 client.
My first question is: Should this configuration work?
My second is: Why is it broken? :)
Thanks!
Output from curl for reference:
Working: curl -kv --http2 https://127.0.0.1:8443/examples/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=Example; L=Example; O=Example; OU=Example; CN=Example
* start date: Mar 13 13:39:10 2019 GMT
* expire date: Jun 11 13:39:10 2019 GMT
* issuer: C=US; ST=Example; L=Example; O=Example; OU=Example; CN=Example
* SSL certificate verify result: self signed certificate (18),
continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x558883950900)
> GET /examples/ HTTP/2
> Host: 127.0.0.1:8443
> User-Agent: curl/7.58.0
> Accept: */*
>
* Connection state changed (MAX_CONCURRENT_STREAMS updated)!
< HTTP/2 200
< accept-ranges: bytes
< etag: W/"1156-1552393515275"
< last-modified: Tue, 12 Mar 2019 12:25:15 GMT
< content-type: text/html
< content-length: 1156
< date: Wed, 27 Mar 2019 03:42:56 GMT
<
<!DOCTYPE HTML><html lang="en">
--snip--
</html>
* Connection #0 to host 127.0.0.1 left intact
Not working: curl -kv --http1.0 https://127.0.0.1:8443/examples/
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; ST=Example; L=Example; O=Example; OU=Example; CN=Example
* start date: Mar 13 13:39:10 2019 GMT
* expire date: Jun 11 13:39:10 2019 GMT
* issuer: C=US; ST=Example; L=Example; O=Example; OU=Example; CN=Example
* SSL certificate verify result: self signed certificate (18),
continuing anyway.
> GET /examples/ HTTP/1.0
> Host: 127.0.0.1:8443
> User-Agent: curl/7.58.0
> Accept: */*
>
* TLSv1.2 (IN), TLS alert, Client hello (1):
* Empty reply from server
* Connection #0 to host 127.0.0.1 left intact
curl: (52) Empty reply from server
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
