2

Spring Boot can support http/2 now, but if browser does not support http/2, can browser request server use http1.x+ssl with the same http port? Nginx can automatically downgrade http/2 to http1.x+ssl when browser does not support http/2. Is this a Spring Boot issue, or a servlet container issue(tomcat, jetty, Undertow)?

I tried local with a Spring Boot application with http/2, browsers that support http/2 can access successfully, but access from browsers that does not support http/2 got a 'Aborted' http status.

Application informations:
Spring Boot Version: 2.1.0.M4
Servlet Container: default, Apache Tomcat/9.0.12

application.properties:

spring.application.name=spring-test
server.port=8443

server.http2.enabled=true

server.ssl.key-store=classpath:testkeystore.jks
server.ssl.key-store-password=test
server.ssl.key-password=test

Browser support http/2: Chrome, version: 66.0.3359.139
Browser does not support http/2: Firefox, version: 30.0

tkec
  • 147
  • 9

1 Answers1

1

This is more of a container problem - although depending on the concrete problem, Spring Boot might be able to help in the way it's configuring the server.

The core issue with what you're describing is: if a server supports both http/2 and http/1.1, it still has to enforce strict minimal requirements for cipher suites, otherwise attackers could be able to force the clients to downgrade the security and use a broken cipher.

So effectively, the category of HTTP clients you're worried about is getting smaller by the day. Clients that support those modern ciphers also support http/2. For example, in the latest Jetty release, all TLS_RSA ciphers are now excluded by default.

Brian Clozel
  • 56,583
  • 15
  • 167
  • 176
  • My situation is that the website is widely accessed by many browsers, and some does not support http2. I want to upgrade the spring boot server to support http2, and at the same time downgrade to http1.x+ssl when browsers does not support http2. – tkec Oct 12 '18 at 09:54
  • It is possible and already supported by many servers. Have you tried locally with a Spring Boot application? The point of my answer is: depending on cipher restrictions, it might not work not because http 1.1 is not supported by the server, but because the cipher list is restricted. – Brian Clozel Oct 12 '18 at 09:57
  • I tried local with a Spring Boot application, when `server.http2.enabled=true` and `server.ssl.*` is set, browsers that support http2 can access successfully, but access from browsers that does not support http2 got a 'Aborted' http status. Ngnix return OK in both situations. – tkec Oct 12 '18 at 10:12
  • You mean set cipher restrictions to support both http1.1 and http2 will be ok? How to set? – tkec Oct 12 '18 at 10:19
  • if you'd like a more precise answer, you should give more information in your question. Like: spring boot version, choice of server, application.properties, ssl configuration, what's the client (name and version), and more – Brian Clozel Oct 12 '18 at 12:17
  • I had update some informations about this question, @Brian Clozel – tkec Oct 25 '18 at 06:20