Opened 4 years ago

Closed 4 years ago

#851 closed defect (duplicate)

HTTP/2 connection abort in Firefox

Reported by: Aljutor@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.9.x
Keywords: http/2 firefox Cc:
uname -a: Linux scw-b9e7d1 4.1.6-249 #1 SMP Mon Aug 31 12:34:47 UTC 2015 armv7l GNU/Linux
nginx -V: nginx version: nginx/1.9.7
built by gcc 4.9.2 (Debian 4.9.2-10)
built with LibreSSL 2.3.1
TLS SNI support enabled
configure arguments: --with-openssl=/home/user/libressl_src/libressl-2.3.1 --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-threads --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-file-aio --with-http_v2_module --with-cc-opt='-g -O2 -fstack-protector-strong -Wformat -Werror=format-security' --with-ld-opt=-Wl,-z,relro --with-ipv6

Description

What i have:

Firefox 42 Win10 x64

Nginx 1.9.7 (based on source code for debian package but build with libressl to support ECDHE+CHACHA20)

And this config for Site:

server {
	listen      80             default_server;
	listen [::]:80 ipv6only=on default_server;

	server_name www.domain.tld domain.tld;
	
	return 301 https://$host$request_uri;
	
}

server {
	
	
	listen      443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server ipv6only=on;
	
	server_name  www.domain.tld domain.tld;
	
	add_header Strict-Transport-Security  "max-age=10886400; preload";	
	add_header X-Content-Type-Options     "nosniff";
	
	ssl on;
	ssl_certificate           /etc/letsencrypt/live/www.domain.tld/fullchain.pem;
	ssl_certificate_key       /etc/letsencrypt/live/www.domain.tld/privkey.pem;
	ssl_trusted_certificate   /etc/letsencrypt/live/www.domain.tld/fullchain.pem;

	ssl_session_cache shared:SSL:20m;
	ssl_session_timeout 180h;
	ssl_session_tickets on;
	ssl_session_ticket_key /etc/nginx/ssl/ticket.key;

	ssl_ecdh_curve secp384r1;

	ssl_stapling on;
	ssl_stapling_verify on;
	# Google DNS, Open DNS
	resolver 8.8.8.8 8.8.4.4 208.67.222.222 208.67.220.220 valid=300s;
	resolver_timeout 3s;

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_prefer_server_ciphers on;
	
	
	ssl_ciphers 'ECDHE+CHACHA20:ECDHE-RSA-AES256 GCM-SHA384:ECDHE+AES256+SHA384:ECDHE+AES256+SHA';

	root /var/www/domain.tld/;
	
	index index.html;

	location / {
		# First attempt to serve request as file, then
		# as directory, then fall back to displaying a 404.
		try_files $uri $uri/ =404;
	}
}

What Happen:

In Firefox website doesn't load, showing just blank page
If first was http it receive redirection to https and then showing blank page.

If i disable http/2 support in Firefox, site loads up.
In Google Chrome everything works fine.



Change History (3)

comment:1 by Aljutor@…, 4 years ago

Component should be nginx-module, miss click

comment:2 by Aljutor@…, 4 years ago

Discovered problem - HTTP/2 Required support for TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

https://tools.ietf.org/html/rfc7540

But Chrome and some other browsers works fine without it (and use strong ciphers)
But not Firefox.

Some warning about absence of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 when HTTP/2 enabled can be helpfull.

comment:3 by Maxim Dounin, 4 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #794. See also note about using ssl_prefer_server_ciphers in the docs.

Note: See TracTickets for help on using tickets.