0

I've a locally hosted SPA (Kestral/.Net core). It is using a self signed certificate for HTTPS communication (generated through Server Certificates in windows 10).

It works well with IE11, however when accessed from Google Chrome, shows up error - ERR_HTTP2_INADEQUATE_TRANSPORT_SECURITY.

Any clues on what could be done to overcome this?

Troubleshooting done so far:

  1. Custom cipher suites order.
  2. Disabling HTTP2 through windows registry.
greybeard
  • 2,249
  • 8
  • 30
  • 66
Jack Sparrow
  • 107
  • 2
  • 8

2 Answers2

2

To use HTTP/2 you must be using TLSv1.2 and cannot use a number of blacklisted, less secure ciphers. This basically means you must use one of the GCM ciphers like TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (though other newer ciphers like TLS_CHACHA20_POLY1305_SHA256 are also support).

If you only have older ciphers configured then Chrome will fallback to HTTP/1.1 or, if that is not available, it will error with that error message.

Community
  • 1
  • 1
Barry Pollard
  • 40,655
  • 7
  • 76
  • 92
  • Thanks Barry! coming back after long time got occupied with other stuff, just forced server to listen on HTTP 1 and could able to overcome this error. – Jack Sparrow Aug 26 '20 at 10:11
  • Just wondering, if you have any insights/inputs on how to make newer cipher suits mentioned above to get used here? Here I am using self signed certificate on server, does certificate needs to get generated with explicitly specifying cipher suite to use? I see in certificate RSA/SHA256 mentioned at places, not sure how to enable use of TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 here... appreciate any inputs... – Jack Sparrow Aug 26 '20 at 10:17
  • No this is not to do with your cert, but with your server configuration. Not sure what server you're using to host this or how configurable the SSL/TLS settings are in there, but that's where you should look. – Barry Pollard Aug 26 '20 at 10:20
  • Using Kestral/.Net core as server. it is a self hosted endpoint. – Jack Sparrow Aug 28 '20 at 05:07
  • Adding if ti helps anyone digging on same thing, for Kestral setting Protocol Version looks to be the way to overcome this issue, as Cipher suite doesn't looks to be configurable in kestral with .Net core 3.1. – Jack Sparrow Sep 04 '20 at 09:53
0

Adding if it helps anyone digging on same thing, for Kestral setting Protocol Version to http1 looks to be the way to overcome this issue, as Cipher suite doesn't looks to be configurable in kestral at least with .Net core 3.1.

Jack Sparrow
  • 107
  • 2
  • 8