14

I have made a website with HTTP/2 Protocol which is running on Apache 2.4.18 HTTP Server. Currently I have made the website is SSL Enabled because I read somewhere that HTTP/2 by default requires SSL. I may not require to make my website secure, so I don't want to spend money in buying a SSL Certificate.

Is there a way to implement HTTP2 Protocol without using SSL Configurations ? If yes, what configuration settings should I write in httpd.conf file ? Do I need to change any properties/settings of my Browser - Chrome/Firefox etc ?

Dhumil Agarwal
  • 856
  • 2
  • 11
  • 19

1 Answers1

12

As far I know, the most web browsers will not use HTTP2 Protocol if you would connect to the web site via HTTP instead of HTTPS.

There are many places where you can get SSL certificate for free, for example, StartSSL, Universal SSL, Let’s Encrypt (see here) and other. The certificate could be not for the long time period and don't have some additional properties like Time-Stamping (like here), but it could be still used. You can still use the certificate for free.

You can read here, for example, the instruction of configuring of HTTP2 in Apache HTTP Server. The most important would be to use the latest version of OpenSSL and the latest version of Apache Server. I'd recommend you to read the article about HTTP2, look the video and the corresponding slides here about making TLS faster and to go through the checklist.

General Grievance
  • 4,555
  • 31
  • 31
  • 45
Oleg
  • 220,925
  • 34
  • 403
  • 798
  • 1
    Why this: "Disable TLS compression on your server."? What's wrong with TLS compression? – Geremia Apr 04 '16 at 22:28
  • 1
    @Geremia: There are many reasons. The description of one of the most important you can find [here](https://blog.qualys.com/ssllabs/2012/09/14/crime-information-leakage-attack-against-ssltls) and [here](https://en.wikipedia.org/wiki/CRIME). – Oleg Apr 04 '16 at 22:46
  • Thanks. I'm trying to figure out why after I used [this](https://mozilla.github.io/server-side-tls/ssl-config-generator/) to configure my Apache SSL settings, the wiki page I'm hosting no longer uses HTTP/2. – Geremia Apr 04 '16 at 23:36
  • You are welcome! First of all it's important to know which version of Apache and OpenSSL and on which OS you use and how TLS is configuration. Do you have the server online? Which is its URL? – Oleg Apr 04 '16 at 23:41
  • I'm using Apache 2.4.18 and OpenSSL 1.0.2g on Linux. Do I need mod_http2, even though Apache 2.4.18 is supposed have HTTP/2 built-in? I get an A+ rating on https://ssllabs.com/ for my TLS config, which I configured with the help of [this](https://mozilla.github.io/server-side-tls/ssl-config-generator/). I'm able to put `Protocols h2 http/1.1` in httpd.conf and run `apachectl restart` without it complaining. So, why don't Curl, Firefox, or Chrome use HTTP/2 when I visit the site? – Geremia Apr 05 '16 at 01:36
  • I've also [hardened my HTTP response headers](https://scotthelme.co.uk/hardening-your-http-response-headers/) and thus get an A+ rating on https://securityheaders.io, too. Could've hardening my HTTP response headers messed up HTTP/2? – Geremia Apr 05 '16 at 01:46
  • @Geremia: You didn't posted the URL to your server. Probably you have just the problem with the testing of the results? Do you verified that the web browser *local cache* are cleared? – Oleg Apr 05 '16 at 04:49
  • Let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/108305/discussion-between-geremia-and-oleg). – Geremia Apr 05 '16 at 16:25