New issue
Advanced search Search tips

Issue 527066 link

Starred by 3 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2015
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug

Blocked on:
issue 538015



Sign in to add a comment

Do not negotiate HTTP/2 when using NPN.

Project Member Reported by b...@chromium.org, Sep 1 2015

Issue description

In order to provide incentives for server deployments to move away from NPN, Chromium should not negotiate HTTP/2 when using NPN.  Needless to say, HTTP/2 over ALPN should be unaffected.

See also  https://crbug.com/267858#c8  and  https://crbug.com/526713 .
 

Comment 1 by b...@chromium.org, Sep 28 2015

Cc: davidben@chromium.org
Status: Started
Plan:
 * Implement static function for NSS NPN callback in SSLClientSocketNSS to do what we want.
 * Have two NextProtoVector members of SSLConfig: one for NPN, one for ALPN.
 * Remove HTTP/2 from the NPN list for NSS.
Project Member

Comment 2 by bugdroid1@chromium.org, Sep 29 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/f76254d62e10ebd2fc9185609fde431e3232bc1f

commit f76254d62e10ebd2fc9185609fde431e3232bc1f
Author: bnc <bnc@chromium.org>
Date: Tue Sep 29 00:03:44 2015

Refactor SSLClientSocket::SerializeNextProtos().

Break out HTTP/2 protocol removal from SSLClientSocket::SerializeNextProtos() to
SSLClientSocket::DisableHTTP2() method.  DisableHTTP2() will be used for NPN to
create a NextProtoVector that can be used by the callback function (no
serialization is necessary for this.)

BUG= 527066 

Review URL: https://codereview.chromium.org/1371263002

Cr-Commit-Position: refs/heads/master@{#351210}

[modify] http://crrev.com/f76254d62e10ebd2fc9185609fde431e3232bc1f/net/socket/next_proto.cc
[modify] http://crrev.com/f76254d62e10ebd2fc9185609fde431e3232bc1f/net/socket/next_proto.h
[modify] http://crrev.com/f76254d62e10ebd2fc9185609fde431e3232bc1f/net/socket/ssl_client_socket.cc
[modify] http://crrev.com/f76254d62e10ebd2fc9185609fde431e3232bc1f/net/socket/ssl_client_socket.h
[modify] http://crrev.com/f76254d62e10ebd2fc9185609fde431e3232bc1f/net/socket/ssl_client_socket_nss.cc
[modify] http://crrev.com/f76254d62e10ebd2fc9185609fde431e3232bc1f/net/socket/ssl_client_socket_openssl.cc
[modify] http://crrev.com/f76254d62e10ebd2fc9185609fde431e3232bc1f/net/socket/ssl_client_socket_unittest.cc

Comment 3 by b...@chromium.org, Sep 29 2015

Labels: M-48 Cr-Internals-Network-SSL

Comment 4 by b...@chromium.org, Oct 1 2015

Blockedon: chromium:538015
Project Member

Comment 5 by bugdroid1@chromium.org, Oct 21 2015

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/1f295377e8de70ba03ce73d9f7929e614d23df68

commit 1f295377e8de70ba03ce73d9f7929e614d23df68
Author: bnc <bnc@chromium.org>
Date: Wed Oct 21 23:24:22 2015

Disable HTTP/2 over NPN (with OpenSSL).

* Split SSLConfig.next_proto into two members: one for ALPN, one for NPN.
* Remove HTTP/2 from NPN.
* In OpenSSL, use alpn_protos for |ALPN|, and npn_protos for |NPN|.
* In NSS, use |alpn_protos| for both.
* In NSS, disable NPN if |npn_protos| is empty.

BUG= 527066 

Review URL: https://codereview.chromium.org/1387363004

Cr-Commit-Position: refs/heads/master@{#355427}

[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/chrome/browser/net/preconnect.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/chrome/browser/resources/net_internals/spdy_view.html
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/http/http_network_session.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/http/http_network_session.h
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/http/http_network_transaction.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/http/http_network_transaction_unittest.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/http/http_server_properties.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/http/http_stream_factory_impl_job.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/log/net_log_util.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/socket/socket_test_util.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/socket/ssl_client_socket_nss.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/socket/ssl_client_socket_openssl.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/socket/ssl_client_socket_unittest.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/spdy/spdy_network_transaction_unittest.cc
[modify] http://crrev.com/1f295377e8de70ba03ce73d9f7929e614d23df68/net/ssl/ssl_config.h

Comment 6 by b...@chromium.org, Oct 22 2015

Status: Fixed
This is fixed for OpenSSL.  As for NSS (still used on iOS), however, fixing  issue 538015  would have been too complex to be worth it, therefore on that particular platform, HTTP/2 is still used with NPN until the transition to OpenSSL.
This change will have the opposite effect of what is intended. A very large number of sites use Ubuntu LTS releases - currently that's 14.04 - which supports NPN, but cannot easily support ALPN. The next LTS release will be 16.04 - 6 months from now. FWIW it's not in Debian Jessie either, and that was only released a month ago.

Nginx 1.9.5 and up supports HTTP/2, but that will not ship as standard in Ubuntu until the next LTS release. 14.04 ships with OpenSSL 1.0.1f, which has NPN but not ALPN. Currently if you install nginx 1.9.5+ on Ubuntu LTS, you only get NPN support. It is of course possible to upgrade openssl without changing the OS release, however, openssl is depended upon by many, many other packages, and making this change would be unsupported and would result in unknown side-effects, so it's simply not going to happen at any kind of scale.

There's no need to "provide an incentive" - the next Ubuntu LTS release *will* include the necessary support for HTTP/2 with ALPN (OpenSSL 1.0.2d is already in Ubuntu 15.10), but the LTS release schedule is not going to change. Server admins are not going to switch to a non-LTS release with only 9 months of support for the sake of one or two packages.

HTTP/2 + NPN works in older versions of Chrome, but not in releases after this change, i.e. the only effect of jumping the gun like this this is to penalise Chrome users (especially those that update) by downgrading them to HTTP/1, and nobody else, which seems pretty obtuse.

Meanwhile, all other browser users enjoy better performance with HTTP/2 + NPN...

Comment 8 by csred...@gmail.com, Jun 8 2016

CodeIT provides own builds in CentOS/RHEL repository with NGINX built against OpenSSL 1.0.2 statically.
https://codeit.guru/en_US/

These are recompiled SRPMs from official repository.

Sign in to add a comment