Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

HTTP2: Is it still experimental in v12.0.0?

And does anyone know which version, draft or official, of HTTP2 the LTM in v12.0.0 supports?

I have a test server in v11.6.0 and HTTP2 no longer works with the latest versions of the major browsers.

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Version 12.0 supports the final HTTP2 spec. 11.6.0 suports draft 14.

Because of the intertwining of http2 with SSL, it's unfortunately not as simple as merely dropping a http2 profile on the VIP. It has to be SSL-enabled, and needs to prefer certain ciphers that the http2 spec wants so that handshakes can complete successfully.

I know that you need at least this cipher string "ECDHE+AES-GCM:DEFAULT", but I haven't spent much time to test all the configuration options needed.

Hopefully this puts you in the right direction and someone else could add on it.

1
Comments on this Answer
Comment made 05-Feb-2016 by Stanislas Piron 10237
Thank you very much... I had the same issue and was searching how to resolve it by changing ciphers unsuccessfully. This cipher change now allow me to connect to my http/2 lab web server with: - Chrome (Windows and Mac OS X) - Firefox (Windows and Mac OS X) - Microsoft Edge (Windows 10) - Microsoft IE 11 (Windows 10) - Safari (Mac OS X)
0
Comment made 05-Feb-2016 by Rasman 55
I am also testing this out but get "ERR_SPDY_PROTOCOL_ERROR" in Chrome. Is there any specific requirements on the certificate itself? Is there any difference if we use RCA or ECDSA key? Currently testing with a wildcard cert created with RSA key. Any advice highly appreciated.
0
Comment made 05-Feb-2016 by Stanislas Piron 10237
I use a self-signed certificate created with the following openssl command: openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -sha256 -keyout www.company.com.key -out www.company.com.crt -subj /C=FR/O=Company/CN=www.Company.com/L=Paris My SSL profile is now: ltm profile client-ssl company-sha256 { app-service none cert www.company.com.crt cert-key-chain { www.company.com { cert www.company.com.crt key www.company.com.key } } chain none ciphers ECDHE+AES-GCM:DEFAULT defaults-from clientssl inherit-certkeychain false key www.company.com.key passphrase none renegotiation disabled }
1
Comment made 05-Feb-2016 by Stanislas Piron 10237
The cipher of ECDSA and RSA together is : ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:DEFAULT First ECDSA, then RSA...
0
Comment made 07-Feb-2016 by Rasman 55
Thank you!
0
Comment made 08-Feb-2016 by Rasman 55
I use: ECDHE_ECDSA+AES-GCM:ECDHE+AES-GCM:DEFAULT:+SHA:+SHA384:+RSA:+TLSv1_1:+TLSv1:!SSLv3:!SSLv2:!DTLSv1:!EXPORT:!RC4:!MD5:!NULL:!DES:!ADH:!DHE as cipher string. SSLLABS gives A+ on this and all online HTTP2 tests shows it's fine. Still ERR_SPDY_PROTOCOL_ERROR in Chrome. Looking at Chrome internal tcp dump the difference is that for the non-working session delta_windows_size is a negative value: HTTP2_SESSION_UPDATE_STREAMS_SEND_WINDOW_SIZE --> delta_window_size = -32767 In a working HTTP2 session (Google): HTTP2_SESSION_UPDATE_STREAMS_SEND_WINDOW_SIZE --> delta_window_size = 983041 There must be something obvious that I am missing here. Using version 12.0.0 build 1.0.628. Must there be any specific TCP profile for the VIP or is it enough with adding the http2 profile? Can pool members use another port (weblogic port 7001) or must also the pool members use https? Sorry for all questions but I am pretty stuck now.
0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi Jie,

11.6.0 is marked as experimental and will remain so through all 11.6.x versions. The HTTP2 profile on 11.6.0 is definitely buggy - but it is clearly labelled as experimental as you've observed.

The problems I observed in 11.6.0 were typically resolved in 12.0.0. If you want to run HTTP/2 in production, use 12.0.0 (currently at hotfix 1).

The implementation should follow the RFC. However, one would still expect to see bugs, since draft/RFC difference are still being ironed out apparently! For example: https://support.f5.com/kb/en-us/solutions/public/17000/000/sol17023

0
Comments on this Answer
Comment made 22-Nov-2016 by Simon Waters 398

I have tickets where key fixes to make APM work fully with HTTP/2 are missing.

HTTP/2 support is not really ready in APM for version 12.1, and the fixes were still "under consideration" according to support.

Ticket was opened April, so not really very impressed with F5 commitment to HTTP/2.

We'll likely look to use open source proxy and authentication components in place of F5 going forward.

0
Comment made 04-Jan-2017 by Walter Kacynski 973

Do you have any bugids?

0
Comment made 09-Jan-2017 by Simon Waters 398

ID600872 which is supposed to be fixed recetly I believe.

Support were uncertain if this would fix the issues with detecting activity in the Access Profile, but that looked like the same issue to me.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I have found that v11.6.0 no longer works with the current version of Firefox (v44.0.1) which supports the final http2 spec only and not http2draft: the config network.http.spdy.enabled.http2draft no longer exists in this browser.

0