HTTP2,Apache2和certbot
[英]HTTP2, apache2, with certbot
问题描述
I'm tring to set up HTTP2 with apache2, and certbot-auto, the fact is I have another working server with HTTP2+ Apache2 + with letsencrypt cert, HTTP2 is working perfectly on this server. 
我正在尝试使用apache2和certbot-auto来设置HTTP2,事实是我有另一个使用HTTP2 + Apache2 +的具有letencrypt cert的工作服务器,HTTP2在此服务器上运行良好。 I have this on both server : 我在两个服务器上都有这个:
SSLHonorCipherOrder on
SSLProtocol all -SSLv3
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"
I tryed to regen both dhparams key with : 我试图用以下命令重新生成两个dhparams键:
openssl dhparam -out /etc/ssl/private/dhparams_4096.pem 4096
Restart apache, same problem , server 1 is working, server 2 no. 重新启动apache,同样的问题,服务器1正在工作,服务器2没有。
On ssllabs.com I have with chrome, FF, ... : 在ssllabs.com上,我使用的是chrome,FF,...:
Server negotiated HTTP/2 with blacklisted suite
If I test with : 如果我测试:
openssl s_client -host 127.0.0.1 -port 443
On the working server I have : 在工作的服务器上,我有:
Server Temp Key: ECDH, P-256, 256 bits
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
On the not working server : 在无法正常工作的服务器上:
Server Temp Key: DH, 4096 bits
Cipher : DHE-RSA-AES128-GCM-SHA256
I know that it should be a ECDH key to work, but I don't know why it's not working as all server have exactly the same configuration ! 我知道它应该是ECDH密钥,但是我不知道为什么它不起作用,因为所有服务器都具有完全相同的配置!
I alway use : certbot-auto --apache -d mydomain.com to generate a cert, i work with HTTP2 on the first server, not on the second (error inadequate security, and fallback to http1.1) 我总是使用:certbot-auto --apache -d mydomain.com生成证书,我在第一台服务器上使用HTTP2,而不是在第二台服务器上使用(错误安全性不足,并且回退到http1.1)
Can you help me ? 你能帮助我吗 ? I want a working configuration with apache2 and SSL/HTTP2, I dont need very old browser compatibility. 我想要使用apache2和SSL / HTTP2的有效配置,我不需要非常旧的浏览器兼容性。 Or if you know a very good working tutorial to do that. 或者,如果您知道一个很好的工作教程可以做到这一点。
Apache 2.4.25 and open ssl 1.0.2k on both servers. 两台服务器上均使用Apache 2.4.25和ssl 1.0.2k。
1 个解决方案
解决方案1
0 2017-03-02 16:18:08
I just (re) emerged apache 2.4.25 with exactly the same compilations flags and it works now ! 我刚刚(重新)出现了带有完全相同的编译标志的Apache 2.4.25,它现在可以工作了! Maybe some cipher libs was compiled before newer openssl. 也许一些密码库是在较新的openssl之前编译的。 I'm on gentoo. 我在gentoo上。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.