Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuration with SSL? #18

Closed
ipeychev opened this issue Sep 24, 2014 · 10 comments
Closed

Configuration with SSL? #18

ipeychev opened this issue Sep 24, 2014 · 10 comments
Labels
bug enhancement

Comments

@ipeychev
Copy link

Hello,

Is there an example of configuration with SSL? h2o --help does not provide information how to specify the certificate.

(And thanks for the advices, now I have it up and running).
@kazuho
Copy link
Member

kazuho commented Sep 24, 2014

Sorry, SSL support exists in the source code (and thus is available if H2O is used as a library) but there is no configuration directive for the server.

Please wait a while.

@ipeychev
Copy link
Author

Okay, I will wait, thanks!

@kazuho
Copy link
Member

kazuho commented Sep 25, 2014

Memo: #23 introduced a callback that should be called when a connection gets closed. Do not forget to call the function when SSL handshake fails.

kazuho added a commit that referenced this issue Oct 9, 2014
@kazuho
merge branch 'kazuho/expr/ssl-configuration' (#18)
04ff54d
@kazuho
Copy link
Member

kazuho commented Oct 9, 2014

Mostly finished by the above commit.

Configuration directive listen has been introduced replacing port. It is possible to setup HTTPS server by using the directive as show in the below example.

listen:
  port: 8081
  host: 127.0.0.1
  ssl:
    certificate-file: examples/server.crt
    key-file: examples/server.key

The leftover is to properly implement multi-thread support in handling SSL (needs to define hooks as is done in http://openssl.6102.n7.nabble.com/When-to-use-CRYPTO-set-locking-callback-and-CRYPTO-set-id-callback-td7379.html).

@kazuho kazuho closed this as completed in 6192b4b Oct 12, 2014
@kazuho kazuho mentioned this issue Oct 12, 2014
Open
@ipeychev
Copy link
Author

Great job!

I just tried, but I was unable to run it successfully with SSL configuration. Here is my config for my test HTTP2 server, which is running on this domain http2rulez.com:

listen:
port: 8084
ssl:
certificate-file: /home/iliyan/cert/http2rulez.com.cert
key-file: /home/iliyan/cert/http2rulez.com.key
files:
/: /home/iliyan/http2rulez.com/public
request-timeout: 10
mime-types:
txt: text/plain
html: text/html
gif: image/gif
png: image/png
jpg: image/jpeg
jpeg: image/jpeg
css: text/css
js: application/javascript

On this domain I have a few endpoints - SPDY on port 8081, HTTP2 on Port 80 (via node-http2) and so on.

I just configured H2O to run on port 8084 and I tried to connect with Canary and Firefox Nightly. In Canary I have enabled SPDY/4 flag. Both failed to connect to https://http2rulez.com:8084, but they successfully connected via HTTP2 protocol on this address: https://http2rulez.com.

@desaxce
Copy link

desaxce commented Oct 12, 2014

@ipeychev:

Hi, I am not sure h2o supports AEAD cipher suites. Personally I managed to run an h2o HTTP/2 server with SSL and then I used Firefox Nightly to connect to it (but I had to set network.http.spdy.enforce-tls-profile to false).

Hope that helps.

@kazuho kazuho reopened this Oct 13, 2014
@kazuho
Copy link
Member

kazuho commented Oct 13, 2014

@ipeychev @desaxce
It seems true that there is some issue. I have tried setting up a copy site of http2rulez.com using H2O and confirmed that (at least) Firefox Nightly has problem connecting to it via HTTP/2 (reports a SSL MAC error).

Regarding the ciphersuites being supported, H2O does not provide any way to modify the list of ciphersuites from those enabled by OpenSSL by default (we should obviously add a way to configure the list; thank you for noticing it). But in the case of http2rulez.com I do not think that is the cause of the problem.

EDIT: The error also happens with HTTP/1.1 over SSL.

kazuho added a commit that referenced this issue Oct 14, 2014
@kazuho
[bugfix] server was not responding after SSL session resumption (#18 #39
fc5ecd4 
)
kazuho added a commit that referenced this issue Oct 14, 2014
@kazuho
set ECC curve to P256v1 (FIPS 186) (#18)
1ba6cd5
kazuho pushed a commit that referenced this issue Oct 14, 2014
fix data corruption in case of partial write (#18 #38)
ab747ce
kazuho added a commit that referenced this issue Oct 14, 2014
@kazuho
Revert "fix data corruption in case of partial write (#18 #38)"
62d5bd1 
This reverts commit ab747ce.
kazuho added a commit that referenced this issue Oct 14, 2014
@kazuho
redo the partial write impl. (prev commit causes SIGSEGV) (#18 #38)
3075e55
@kazuho
Copy link
Member

kazuho commented Oct 15, 2014

@ipeychev
Would you mind retrying? I think I have fixed all the issues with commits up to 3de5b06.

I can now access a copy site of http2rulez.com setup for my own using HTTP/2 (HTTPS) using Google Chrome Canary.

@ipeychev
Copy link
Author

Great job! It works now on https://http2rulez.com:8084!

@kazuho
Copy link
Member

kazuho commented Oct 16, 2014

Wow! Thanks a lot!

@kazuho kazuho closed this as completed Oct 16, 2014
gfx pushed a commit to gfx/h2o that referenced this issue Jun 12, 2020
@toru
Merge pull request h2o#18 from gfx/filter_for_res_headers
6595854 
[quic] add -v and -s to filter response headers
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kazuho @ipeychev @desaxce