http2 on 1.9.15 and 1.10.0 (works ok on 1.9.14)

[jashar.alumni.cmu.edu@…]

Hi there,

We have an iOS app that is having intermittent issues with http/2 in nginx. The error on iOS is not very useful "Could not connect to the server.". Nothing appears in the nginx log (access or error). Wireshark shows a connection is opened, and application data is sent and received, though we cannot see what the data is due to encryption. (I tried imported our private key into wireshark but it didn't decrypt the connection.)

It seems others are having this issue as well:

​http://stackoverflow.com/a/37178257/192798

We did a bit of trial and error installing different versions from the nginx centos 6 repository. mainline 1.9.5, 1.9.10, and 1.9.14 all work fine. This issue is only with mainline 1.9.15 and stable 1.10.0.

I'm including nginx -V for a working version in case it helps:

nginx version: nginx/1.9.14
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-91543c86f412/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

[jashar.alumni.cmu.edu@…]

Sorry, forgot to mention http/1.1 works fine in nginx 1.10.0 (didn't test on 1.9.15).

[Maxim Dounin]

Duplicate of #959.

[Rogier Slag]

We encountered the same issue on two different nginx load balancers (both 1.10.0) after enabling http2. All browsers and operating systems perform well, but on iOS apps give a direct crash. When using safari to browse the same domain there is no problem.

We tested with different server suites (no blacklisted ciphers), different minimum encryptions (TLSv1.1 or TLSv1.0), and ssllabs.com we couldnt get any configuration to work reliably with HTTP2. For now we have switched back to SPDY, but that will soon be discontinued by Google.

Are there any plans to fix this in the mainline?

[Valentin V. Bartenev]

I'm working on a solution right now, but this problem should be reported to the iOS devs as the first place.

[Rogier Slag]

I have reported this already. It is known by Apple under bug number 26285066