Opened 19 months ago

Closed 19 months ago

Last modified 19 months ago

#979 closed defect (duplicate)

http2 on 1.9.15 and 1.10.0 (works ok on 1.9.14)

Reported by: jashar.alumni.cmu.edu@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.10.x
Keywords: Cc:
Sensitive: no
uname -a: Linux BARYOGENESIS.SKEDGO.COM 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.15 built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

Hi there,

We have an iOS app that is having intermittent issues with http/2 in nginx. The error on iOS is not very useful "Could not connect to the server.". Nothing appears in the nginx log (access or error). Wireshark shows a connection is opened, and application data is sent and received, though we cannot see what the data is due to encryption. (I tried imported our private key into wireshark but it didn't decrypt the connection.)

It seems others are having this issue as well:

http://stackoverflow.com/a/37178257/192798

We did a bit of trial and error installing different versions from the nginx centos 6 repository. mainline 1.9.5, 1.9.10, and 1.9.14 all work fine. This issue is only with mainline 1.9.15 and stable 1.10.0.

I'm including nginx -V for a working version in case it helps:

nginx version: nginx/1.9.14
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-91543c86f412/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Change History (5)

comment:1 Changed 19 months ago by jashar.alumni.cmu.edu@…

Sorry, forgot to mention http/1.1 works fine in nginx 1.10.0 (didn't test on 1.9.15).

comment:2 Changed 19 months ago by mdounin

  • Resolution set to duplicate
  • Status changed from new to closed

Duplicate of #959.

comment:3 Changed 19 months ago by rogierslag@…

We encountered the same issue on two different nginx load balancers (both 1.10.0) after enabling http2. All browsers and operating systems perform well, but on iOS apps give a direct crash. When using safari to browse the same domain there is no problem.

We tested with different server suites (no blacklisted ciphers), different minimum encryptions (TLSv1.1 or TLSv1.0), and ssllabs.com we couldnt get any configuration to work reliably with HTTP2. For now we have switched back to SPDY, but that will soon be discontinued by Google.

Are there any plans to fix this in the mainline?

comment:4 Changed 19 months ago by vbart

I'm working on a solution right now, but this problem should be reported to the iOS devs as the first place.

comment:5 Changed 19 months ago by rogierslag@…

I have reported this already. It is known by Apple under bug number 26285066

Note: See TracTickets for help on using tickets.