Opened 9 years ago

Closed 9 years ago

Last modified 8 years ago

#979 closed defect (duplicate)

http2 on 1.9.15 and 1.10.0 (works ok on 1.9.14)

Reported by: jashar.alumni.cmu.edu@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.10.x
Keywords: Cc:
uname -a: Linux BARYOGENESIS.SKEDGO.COM 2.6.32-573.22.1.el6.x86_64 #1 SMP Wed Mar 23 03:35:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.9.15
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Description

Hi there,

We have an iOS app that is having intermittent issues with http/2 in nginx. The error on iOS is not very useful "Could not connect to the server.". Nothing appears in the nginx log (access or error). Wireshark shows a connection is opened, and application data is sent and received, though we cannot see what the data is due to encryption. (I tried imported our private key into wireshark but it didn't decrypt the connection.)

It seems others are having this issue as well:

http://stackoverflow.com/a/37178257/192798

We did a bit of trial and error installing different versions from the nginx centos 6 repository. mainline 1.9.5, 1.9.10, and 1.9.14 all work fine. This issue is only with mainline 1.9.15 and stable 1.10.0.

I'm including nginx -V for a working version in case it helps:

nginx version: nginx/1.9.14
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-16) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-91543c86f412/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic'

Change History (5)

comment:1 by jashar.alumni.cmu.edu@…, 9 years ago

Sorry, forgot to mention http/1.1 works fine in nginx 1.10.0 (didn't test on 1.9.15).

comment:2 by Maxim Dounin, 9 years ago

Resolution: duplicate
Status: newclosed

Duplicate of #959.

comment:3 by Rogier Slag, 9 years ago

We encountered the same issue on two different nginx load balancers (both 1.10.0) after enabling http2. All browsers and operating systems perform well, but on iOS apps give a direct crash. When using safari to browse the same domain there is no problem.

We tested with different server suites (no blacklisted ciphers), different minimum encryptions (TLSv1.1 or TLSv1.0), and ssllabs.com we couldnt get any configuration to work reliably with HTTP2. For now we have switched back to SPDY, but that will soon be discontinued by Google.

Are there any plans to fix this in the mainline?

comment:4 by Valentin V. Bartenev, 8 years ago

I'm working on a solution right now, but this problem should be reported to the iOS devs as the first place.

comment:5 by Rogier Slag, 8 years ago

I have reported this already. It is known by Apple under bug number 26285066

Note: See TracTickets for help on using tickets.