Join the community today
Become a Member

Nginx First Alpha Patch for Nginx HTTP/2 support

Discussion in 'Nginx and PHP-FPM news & discussions' started by eva2000, Aug 12, 2015.

  1. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:31 AM
    Mainline
    10.2
  2. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Aug 12, 2015
  3. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Strange that h2check.org doesn't report HTTP/2 for centminmod.com

    But using h2i tool to check HTTP/2 shows = Negotiated protocol "h2"

    test sslspdy.com
    Code:
    h2i sslspdy.com
    Connecting to sslspdy.com:443 ...
    Connected to 192.184.89.66:443
    Negotiated protocol "h2"
    [FrameHeader SETTINGS len=18]
      [MAX_CONCURRENT_STREAMS = 128]
      [INITIAL_WINDOW_SIZE = 2147483647]
      [MAX_FRAME_SIZE = 16777215]
    [FrameHeader WINDOW_UPDATE len=4]
      Window-Increment = 2147418112
    
    test centminmod.com
    Code:
    h2i centminmod.com
    Connecting to centminmod.com:443 ...
    Connected to 104.152.214.227:443
    Negotiated protocol "h2"
    [FrameHeader SETTINGS len=18]
      [MAX_CONCURRENT_STREAMS = 128]
      [INITIAL_WINDOW_SIZE = 2147483647]
      [MAX_FRAME_SIZE = 16777215]
    [FrameHeader WINDOW_UPDATE len=4]
      Window-Increment = 2147418112
    test google.com
    Code:
    h2i google.com
    Connecting to google.com:443 ...
    Connected to 216.58.192.14:443
    Negotiated protocol "h2"
    [FrameHeader SETTINGS len=18]
      [MAX_CONCURRENT_STREAMS = 100]
      [INITIAL_WINDOW_SIZE = 1048576]
      [MAX_FRAME_SIZE = 16384]
    [FrameHeader WINDOW_UPDATE len=4]
      Window-Increment = 983041
    Ah i see Nginx HTTP/2 advertises the h2 protocol and not h2-14 draft, so need to check for h2 = ALPN protocol: h2
    Code:
    openssl s_client -alpn h2 -host sslspdy.com -port 443
    
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    ALPN protocol: h2
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    
    Code:
    openssl s_client -alpn h2 -host centminmod.com -port 443
    
    New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305
    Server public key is 256 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    ALPN protocol: h2
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-ECDSA-CHACHA20-POLY1305
    
    Code:
    openssl s_client -alpn h2 -host google.com -port 443
    
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    ALPN protocol: h2
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-CHACHA20-POLY1305
    
    checking HTTP/2 headers via curl 7.43+ for added --http2 support + nghttp support which custom 7.43+ rpm linked below actually does not have.

    Code:
    curl -I --http2 https://centminmod.com -v
    * Rebuilt URL to: https://centminmod.com/
    *   Trying 104.152.214.227...
    * Connected to centminmod.com (104.152.214.227) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
    * successfully set certificate verify locations:
    *   CAfile: /etc/ssl/certs/ca-certificates.crt
      CApath: none
    * TLSv1.2 (OUT), TLS header, Certificate Status (22):
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Client hello (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
    * ALPN, server accepted to use h2
    * Server certificate:
    *        subject: OU=Domain Control Validated; OU=GGSSL Wildcard SSL; CN=*.centminmod.com
    *        start date: 2014-08-14 00:00:00 GMT
    *        expire date: 2017-08-13 23:59:59 GMT
    *        subjectAltName: centminmod.com matched
    *        issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA
    *        SSL certificate verify ok.
    * Using HTTP2, server supports multi-use
    * Connection state changed (HTTP/2 confirmed)
    * Using Stream ID: 1 (easy handle 0x117f5a0)
    > HEAD / HTTP/1.1
    > Host: centminmod.com
    > User-Agent: curl/7.43.0-DEV
    > Accept: */*
    >
    * http2_recv: 16384 bytes buffer at 0x117fef0 (stream 1)
    * Connection state changed (MAX_CONCURRENT_STREAMS updated)!
    * http2_recv: 16384 bytes buffer at 0x117fef0 (stream 1)
    * http2_recv: 16384 bytes buffer at 0x117fef0 (stream 1)
    * http2_recv: returns 247 for stream 1
    < HTTP/2.0 200
    HTTP/2.0 200
    < content-type:text/html; charset=utf-8
    content-type:text/html; charset=utf-8
    < vary:Accept-Encoding
    vary:Accept-Encoding
    < server:nginx centminmod
    server:nginx centminmod
    < alternate-protocol:443:npn-spdy/3
    alternate-protocol:443:npn-spdy/3
    < date:Wed, 12 Aug 2015 09:45:55 GMT
    date:Wed, 12 Aug 2015 09:45:55 GMT
    < x-page-speed:centminmod.com PageSpeed
    x-page-speed:centminmod.com PageSpeed
    < cache-control:max-age=0, no-cache
    cache-control:max-age=0, no-cache
    
    <
    * Connection #0 to host centminmod.com left intact
    FYI, for Centmin Mod 123.09beta01 users, you need to use LibreSSL's openssl binary for -alpn support i.e.

    Code:
    /opt/libressl/bin/openssl s_client -alpn h2 -host sslspdy.com -port 443
    If you need curl 7.43+ then need custom rpm addon for Centmin Mod .08+ at Beta Branch - Centmin Mod .08 beta 03 addon - curl 7.43 custom rpms | Centmin Mod Community

    More tests with nghttp = The negotiated protocol: h2 = HTTP/2

    for sslspdy.com

    Code:
    nghttp -nv https://sslspdy.com:443
    [  0.072] Connected
    The negotiated protocol: h2
    [  0.145] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
              (niv=2)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]
    [  0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=3>
              (dep_stream_id=0, weight=201, exclusive=0)
    [  0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=5>
              (dep_stream_id=0, weight=101, exclusive=0)
    [  0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=7>
              (dep_stream_id=0, weight=1, exclusive=0)
    [  0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=9>
              (dep_stream_id=7, weight=1, exclusive=0)
    [  0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=11>
              (dep_stream_id=3, weight=1, exclusive=0)
    [  0.145] send HEADERS frame <length=39, flags=0x25, stream_id=13>
              ; END_STREAM | END_HEADERS | PRIORITY
              (padlen=0, dep_stream_id=11, weight=16, exclusive=0)
              ; Open new stream
              :method: GET
              :path: /
              :scheme: https
              :authority: sslspdy.com
              accept: */*
              accept-encoding: gzip, deflate
              user-agent: nghttp2/1.2.1-DEV
    [  0.170] recv SETTINGS frame <length=18, flags=0x00, stream_id=0>
              (niv=3)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):128]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):2147483647]
              [SETTINGS_MAX_FRAME_SIZE(0x05):16777215]
    [  0.170] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0>
              (window_size_increment=2147418112)
    [  0.170] send SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.208] recv SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.208] recv (stream_id=13) :status: 200
    [  0.208] recv (stream_id=13) server: nginx
    [  0.208] recv (stream_id=13) date: Thu, 13 Aug 2015 08:40:25 GMT
    [  0.208] recv (stream_id=13) content-type: text/html; charset=utf-8
    [  0.208] recv (stream_id=13) last-modified: Wed, 12 Aug 2015 03:31:16 GMT
    [  0.208] recv (stream_id=13) vary: Accept-Encoding
    [  0.208] recv (stream_id=13) etag: W/"55cabe04-2d4a"
    [  0.208] recv (stream_id=13) expires: Fri, 14 Aug 2015 08:40:25 GMT
    [  0.208] recv (stream_id=13) cache-control: max-age=86400
    [  0.208] recv (stream_id=13) strict-transport-security: max-age=31536000; includeSubdomains
    [  0.208] recv (stream_id=13) cache-control: public, must-revalidate, proxy-revalidate
    [  0.208] recv (stream_id=13) content-encoding: gzip
    [  0.208] recv HEADERS frame <length=348, flags=0x04, stream_id=13>
              ; END_HEADERS
              (padlen=0)
              ; First response header
    [  0.231] recv DATA frame <length=3881, flags=0x01, stream_id=13>
              ; END_STREAM
    [  0.231] send GOAWAY frame <length=8, flags=0x00, stream_id=0>
              (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[])
    for centminmod.com

    Code:
    nghttp -nv https://centminmod.com:443       
    [  0.063] Connected
    The negotiated protocol: h2
    [  0.097] recv SETTINGS frame <length=18, flags=0x00, stream_id=0>
              (niv=3)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):128]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):2147483647]
              [SETTINGS_MAX_FRAME_SIZE(0x05):16777215]
    [  0.097] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0>
              (window_size_increment=2147418112)
    [  0.097] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
              (niv=2)
              [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
              [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]
    [  0.097] send SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=3>
              (dep_stream_id=0, weight=201, exclusive=0)
    [  0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=5>
              (dep_stream_id=0, weight=101, exclusive=0)
    [  0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=7>
              (dep_stream_id=0, weight=1, exclusive=0)
    [  0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=9>
              (dep_stream_id=7, weight=1, exclusive=0)
    [  0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=11>
              (dep_stream_id=3, weight=1, exclusive=0)
    [  0.098] send HEADERS frame <length=41, flags=0x25, stream_id=13>
              ; END_STREAM | END_HEADERS | PRIORITY
              (padlen=0, dep_stream_id=11, weight=16, exclusive=0)
              ; Open new stream
              :method: GET
              :path: /
              :scheme: https
              :authority: centminmod.com
              accept: */*
              accept-encoding: gzip, deflate
              user-agent: nghttp2/1.2.1-DEV
    [  0.113] recv SETTINGS frame <length=0, flags=0x01, stream_id=0>
              ; ACK
              (niv=0)
    [  0.119] recv (stream_id=13) :status: 200
    [  0.119] recv (stream_id=13) content-type: text/html; charset=utf-8
    [  0.119] recv (stream_id=13) vary: Accept-Encoding
    [  0.119] recv (stream_id=13) server: nginx centminmod
    [  0.119] recv (stream_id=13) alternate-protocol: 443:npn-spdy/3
    [  0.119] recv (stream_id=13) date: Thu, 13 Aug 2015 08:41:14 GMT
    [  0.119] recv (stream_id=13) x-page-speed: centminmod.com PageSpeed
    [  0.119] recv (stream_id=13) cache-control: max-age=0, no-cache
    [  0.119] recv (stream_id=13) content-encoding: gzip
    [  0.119] recv HEADERS frame <length=237, flags=0x04, stream_id=13>
              ; END_HEADERS
              (padlen=0)
              ; First response header
    [  0.119] recv DATA frame <length=8192, flags=0x00, stream_id=13>
    [  0.119] recv DATA frame <length=2427, flags=0x01, stream_id=13>
              ; END_STREAM
    [  0.119] send GOAWAY frame <length=8, flags=0x00, stream_id=0>
              (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[])
    nghttp statistics for centminmod.com

    Code:
    nghttp -nas https://centminmod.com:443   
    ***** Statistics *****
    
    Request timing:
      responseEnd: the  time  when  last  byte of  response  was  received
                   relative to connectEnd
    requestStart: the time  just before  first byte  of request  was sent
                   relative  to connectEnd.   If  '*' is  shown, this  was
                   pushed by server.
          process: responseEnd - requestStart
             code: HTTP status code
             size: number  of  bytes  received as  response  body  without
                   inflation.
              URI: request URI
    
    see http://www.w3.org/TR/resource-timing/#processing-model
    
    sorted by 'complete'
    
    id  responseEnd requestStart  process code size request path
    13    +35.99ms       +316us  35.67ms  200  10K /
    15    +45.66ms     +36.04ms   9.62ms  200   9K /img/favicon.ico
    17    +46.15ms     +36.05ms  10.10ms  200   1K /css/localfonts.css
    19    +54.87ms     +36.05ms  18.82ms  200   5K /css/font-awesome.min.css
    21    +63.82ms     +36.05ms  27.77ms  200  19K /css/bootstrap.min.css
    23    +64.07ms     +36.05ms  28.01ms  200   4K /css/hover-dropdown-menu.css
    25    +64.12ms     +36.05ms  28.06ms  200  569 /css/icons-set8.css
    27    +70.11ms     +36.06ms  34.05ms  200   3K /css/animate.min.css
    29    +79.33ms     +36.06ms  43.27ms  200  24K /css/style.css
    31    +79.51ms     +36.06ms  43.45ms  200   2K /css/responsive.css
    33    +79.56ms     +36.07ms  43.49ms  200   1K /css/color.css
    35    +88.28ms     +36.07ms  52.21ms  200  29K /js/jquery.min.js
    37    +88.81ms     +36.07ms  52.74ms  200   9K /js/bootstrap.min.js
    39    +89.04ms     +36.07ms  52.96ms  200   6K /js/hover-dropdown-menu.js
    41    +89.07ms     +36.07ms  52.99ms  200  985 /js/jquery.hover-dropdown-menu-addon.js
    43    +89.10ms     +36.07ms  53.02ms  200  797 /js/jquery.easing.1.3.js
    47    +92.29ms     +36.08ms  56.22ms  200   8K /js/custom.js
    45   +101.77ms     +36.08ms  65.69ms  200  25K /js/bootstrapValidator.min.js
     
    Last edited: Aug 13, 2015
  4. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  5. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Running h2spec testing tool for HTTP/2 seems to hang on 4.2

    Code:
    h2spec --version         
    h2spec v1.1.1
    
    h2spec against centminmod.com seems to hang at 4.2
    Code:
    h2spec -h centminmod.com -p 443 -t
    
      3.5. HTTP/2 Connection Preface
        ✓ Sends invalid connection preface
    
      4.2. Frame Size
          Sends large size frame that exceeds the SETTINGS_MAX_FRAME_SIZE
    run testing against google.com

    Code:
    h2spec -h google.com -p 443 -t
    Code:
    70 tests, 14 passed, 0 skipped, 56 failed
    Code:
    h2spec -h google.com -p 443 -t
      3.5. HTTP/2 Connection Preface
        ✓ Sends invalid connection preface
    
      4.2. Frame Size
        × Sends large size frame that exceeds the SETTINGS_MAX_FRAME_SIZE
          - The endpoint MUST send a FRAME_SIZE_ERROR error.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      RST_STREAM frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
    
      4.3. Header Compression and Decompression
        × Sends invalid header block fragment
          - The endpoint MUST terminate the connection with a connection error of type COMPRESSION_ERROR.
            Expected: GOAWAY frame (ErrorCode: COMPRESSION_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        ✓ Sends Dynamic Table Size Update (RFC 7541, 6.3)
        × Encodes Dynamic Table Size Update (RFC 7541, 6.3) after common header fields
          - The endpoint MUST terminate the connection with a connection error of type COMPRESSION_ERROR.
            Expected: GOAWAY frame (ErrorCode: COMPRESSION_ERROR)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
    
      5.1. Stream States
        × idle: Sends a DATA frame
          - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × idle: Sends a RST_STREAM frame
          - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × idle: Sends a WINDOW_UPDATE frame
          - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × idle: Sends a CONTINUATION frame
          - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × half closed (remote): Sends a DATA frame
          - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
        × half closed (remote): Sends a HEADERS frame
          - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × half closed (remote): Sends a CONTINUATION frame
          - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × closed: Sends a CONTINUATION frame
          - The endpoint MUST treat this as a stream error (Section 5.4.2) of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
        5.1.1. Stream Identifiers
          ✓ Sends even-numbered stream identifier
    
        5.1.2. Stream Concurrency
          × Sends HEADERS frames that causes their advertised concurrent stream limit to be exceeded
            - The endpoint MUST treat this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR or REFUSED_STREAM
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                        GOAWAY frame (ErrorCode: REFUSED_STREAM)
                        RST_STREAM frame (ErrorCode: REFUSED_STREAM)
                        Connection close
                Actual: HEADERS frame (Length: 21, Flags: 4)
    
      5.3. Stream Priority
        5.3.1. Stream Dependencies
          × Sends HEADERS frame that depend on itself
            - The endpoint MUST treat this as a stream error of type PROTOCOL_ERROR
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: PING frame (Length: 8, Flags: 0)
          × Sends PRIORITY frame that depend on itself
            - The endpoint MUST treat this as a stream error of type PROTOCOL_ERROR
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: Test timeout
    
      5.4. Error Handling
        5.4.1. Connection Error Handling
          ✓ Receives a GOAWAY frame
    
      5.5. Extending HTTP/2
        ✓ Sends an unknown extension frame
        × Sends an unknown extension frame in the middle of a header block
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.1. DATA
        × Sends a DATA frame with 0x0 stream identifier
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × Sends a DATA frame on the stream that is not opend
          - The endpoint MUST respond with a stream error of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
        × Sends a DATA frame with invalid pad length
          - The endpoint MUST treat this as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.2. HEADERS
        × Sends a HEADERS frame followed by any frame other than CONTINUATION
          - The endpoint MUST treat the receipt of any other type of frame as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a HEADERS frame followed by a frame on a different stream
          - The endpoint MUST treat the receipt of a frame on a different stream as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a HEADERS frame with 0x0 stream identifier
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a HEADERS frame with invalid pad length
          - The endpoint MUST treat this as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
    
      6.3. PRIORITY
        × Sends a PRIORITY frame with 0x0 stream identifier
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
        × Sends a PRIORITY frame with a length other than 5 octets
          - The endpoint MUST respond with a stream error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      RST_STREAM frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.4. RST_STREAM
        × Sends a RST_STREAM frame with 0x0 stream identifier
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × Sends a RST_STREAM frame on a idle stream
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × Sends a RST_STREAM frame with a length other than 4 octets
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.5. SETTINGS
        ✓ Sends a SETTINGS frame
        × Sends a SETTINGS frame that is not a zero-length with ACK flag
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a SETTINGS frame with the stream identifier that is not 0x0
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: SETTINGS frame (Length: 0, Flags: 1)
        × Sends a SETTINGS frame with a length other than a multiple of 6 octets
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
        6.5.2. Defined SETTINGS Parameters
          × SETTINGS_ENABLE_PUSH (0x2): Sends the value other than 0 or 1
            - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: SETTINGS frame (Length: 0, Flags: 1)
          × SETTINGS_INITIAL_WINDOW_SIZE (0x4): Sends the value above the maximum flow control window size
            - The endpoint MUST respond with a connection error of type FLOW_CONTROL_ERROR.
              Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR)
                        Connection close
                Actual: GOAWAY frame (Length: 35, Flags: 0, ErrorCode: NO_ERROR)
          × SETTINGS_MAX_FRAME_SIZE (0x5): Sends the value below the initial value
            - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: SETTINGS frame (Length: 0, Flags: 1)
          × SETTINGS_MAX_FRAME_SIZE (0x5): Sends the value above the maximum allowed frame size
            - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: SETTINGS frame (Length: 0, Flags: 1)
    
      6.7. PING
        ✓ Sends a PING frame
        ✓ Sends a PING frame with the stream identifier that is not 0x0
        × Sends a PING frame with a length field value other than 8
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.8. GOAWAY
        × Sends a GOAWAY frame with the stream identifier that is not 0x0
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
    
      6.9. WINDOW_UPDATE
        ✓ Sends a WINDOW_UPDATE frame
        ✓ Sends a WINDOW_UPDATE frame with an flow control window increment of 0
        ✓ Sends a WINDOW_UPDATE frame with an flow control window increment of 0 on a stream
        × Sends a WINDOW_UPDATE frame with a length other than a multiple of 4 octets
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
        6.9.1. The Flow Control Window
          × Sends multiple WINDOW_UPDATE frames on a connection increasing the flow control window to above 2^31-1
            - The endpoint MUST sends a GOAWAY frame with a FLOW_CONTROL_ERROR code.
              Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR)
                Actual: Test timeout
          ✓ Sends multiple WINDOW_UPDATE frames on a stream increasing the flow control window to above 2^31-1
    
        6.9.2. Initial Flow Control Window Size
          × Sends a SETTINGS_INITIAL_WINDOW_SIZE settings with an exceeded maximum window size value
            - The endpoint MUST respond with a connection error of type FLOW_CONTROL_ERROR.
              Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR)
                        Connection close
                Actual: GOAWAY frame (Length: 35, Flags: 0, ErrorCode: NO_ERROR)
    
      6.10. CONTINUATION
        ✓ Sends a CONTINUATION frame
        × Sends multiple CONTINUATION frames
          - The endpoint must accept the frames.
            Expected: HEADERS frame
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a CONTINUATION frame followed by any frame other than CONTINUATION
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a CONTINUATION frame followed by a frame on a different stream
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a CONTINUATION frame with the stream identifier that is 0x0
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a CONTINUATION frame after the frame other than HEADERS, PUSH_PROMISE or CONTINUATION
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      8.1. HTTP Request/Response Exchange
        ✓ Sends a HEADERS frame as HEAD request
        × Sends a HEADERS frame containing trailer part
          - The endpoint should respond with HEADERS frame.
            Expected: HEADERS frame (Flags: 1)
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
        8.1.2. HTTP Header Fields
          × Sends a HEADERS frame that contains the header field name in uppercase letters
            - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: PING frame (Length: 8, Flags: 0)
    
          8.1.2.1. Pseudo-Header Fields
            × Sends a HEADERS frame that contains the pseudo-header field defined for response
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame that contains the invalid pseudo-header field
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame that contains a pseudo-header field that appears in a header block after a regular header field
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
          8.1.2.2. Connection-Specific Header Fields
            × Sends a HEADERS frame that contains the connection-specific header field
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame that contains the TE header field that contain any value other than "trailers"
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
    
          8.1.2.3. Request Pseudo-Header Fields
            × Sends a HEADERS frame that omits mandatory pseudo-header fields
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame containing more than one pseudo-header fields with the same name
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
    
          8.1.2.6. Malformed Requests and Responses
            × Sends a HEADERS frame that contains the "content-length" header field which does not equal the sum of the DATA frame payload lengths
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame that contains the "content-length" header field which does not equal the sum of the multiple DATA frame payload lengths
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
    
      8.2. Server Push
        × Sends a PUSH_PROMISE frame
          - The endpoint MUST treat the receipt of a PUSH_PROMISE frame as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 32, Flags: 0, ErrorCode: NO_ERROR)
    
    70 tests, 14 passed, 0 skipped, 56 failed
    
    ===============================================================================
    Failed tests
    ===============================================================================
    
      4.2. Frame Size
        × Sends large size frame that exceeds the SETTINGS_MAX_FRAME_SIZE
          - The endpoint MUST send a FRAME_SIZE_ERROR error.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      RST_STREAM frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
    
      4.3. Header Compression and Decompression
        × Sends invalid header block fragment
          - The endpoint MUST terminate the connection with a connection error of type COMPRESSION_ERROR.
            Expected: GOAWAY frame (ErrorCode: COMPRESSION_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Encodes Dynamic Table Size Update (RFC 7541, 6.3) after common header fields
          - The endpoint MUST terminate the connection with a connection error of type COMPRESSION_ERROR.
            Expected: GOAWAY frame (ErrorCode: COMPRESSION_ERROR)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
    
      5.1. Stream States
        × idle: Sends a DATA frame
          - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × idle: Sends a RST_STREAM frame
          - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × idle: Sends a WINDOW_UPDATE frame
          - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × idle: Sends a CONTINUATION frame
          - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × half closed (remote): Sends a DATA frame
          - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
        × half closed (remote): Sends a HEADERS frame
          - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × half closed (remote): Sends a CONTINUATION frame
          - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × closed: Sends a CONTINUATION frame
          - The endpoint MUST treat this as a stream error (Section 5.4.2) of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
        5.1.2. Stream Concurrency
          × Sends HEADERS frames that causes their advertised concurrent stream limit to be exceeded
            - The endpoint MUST treat this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR or REFUSED_STREAM
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                        GOAWAY frame (ErrorCode: REFUSED_STREAM)
                        RST_STREAM frame (ErrorCode: REFUSED_STREAM)
                        Connection close
                Actual: HEADERS frame (Length: 21, Flags: 4)
    
      5.3. Stream Priority
        5.3.1. Stream Dependencies
          × Sends HEADERS frame that depend on itself
            - The endpoint MUST treat this as a stream error of type PROTOCOL_ERROR
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: PING frame (Length: 8, Flags: 0)
          × Sends PRIORITY frame that depend on itself
            - The endpoint MUST treat this as a stream error of type PROTOCOL_ERROR
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: Test timeout
    
      5.5. Extending HTTP/2
        × Sends an unknown extension frame in the middle of a header block
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.1. DATA
        × Sends a DATA frame with 0x0 stream identifier
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × Sends a DATA frame on the stream that is not opend
          - The endpoint MUST respond with a stream error of type STREAM_CLOSED.
            Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED)
                      RST_STREAM frame (ErrorCode: STREAM_CLOSED)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
        × Sends a DATA frame with invalid pad length
          - The endpoint MUST treat this as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.2. HEADERS
        × Sends a HEADERS frame followed by any frame other than CONTINUATION
          - The endpoint MUST treat the receipt of any other type of frame as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a HEADERS frame followed by a frame on a different stream
          - The endpoint MUST treat the receipt of a frame on a different stream as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a HEADERS frame with 0x0 stream identifier
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a HEADERS frame with invalid pad length
          - The endpoint MUST treat this as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
    
      6.3. PRIORITY
        × Sends a PRIORITY frame with 0x0 stream identifier
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: PING frame (Length: 8, Flags: 0)
        × Sends a PRIORITY frame with a length other than 5 octets
          - The endpoint MUST respond with a stream error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      RST_STREAM frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.4. RST_STREAM
        × Sends a RST_STREAM frame with 0x0 stream identifier
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × Sends a RST_STREAM frame on a idle stream
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
        × Sends a RST_STREAM frame with a length other than 4 octets
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.5. SETTINGS
        × Sends a SETTINGS frame that is not a zero-length with ACK flag
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a SETTINGS frame with the stream identifier that is not 0x0
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: SETTINGS frame (Length: 0, Flags: 1)
        × Sends a SETTINGS frame with a length other than a multiple of 6 octets
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
        6.5.2. Defined SETTINGS Parameters
          × SETTINGS_ENABLE_PUSH (0x2): Sends the value other than 0 or 1
            - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: SETTINGS frame (Length: 0, Flags: 1)
          × SETTINGS_INITIAL_WINDOW_SIZE (0x4): Sends the value above the maximum flow control window size
            - The endpoint MUST respond with a connection error of type FLOW_CONTROL_ERROR.
              Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR)
                        Connection close
                Actual: GOAWAY frame (Length: 35, Flags: 0, ErrorCode: NO_ERROR)
          × SETTINGS_MAX_FRAME_SIZE (0x5): Sends the value below the initial value
            - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: SETTINGS frame (Length: 0, Flags: 1)
          × SETTINGS_MAX_FRAME_SIZE (0x5): Sends the value above the maximum allowed frame size
            - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: SETTINGS frame (Length: 0, Flags: 1)
    
      6.7. PING
        × Sends a PING frame with a length field value other than 8
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      6.8. GOAWAY
        × Sends a GOAWAY frame with the stream identifier that is not 0x0
          - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: Test timeout
    
      6.9. WINDOW_UPDATE
        × Sends a WINDOW_UPDATE frame with a length other than a multiple of 4 octets
          - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR.
            Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
        6.9.1. The Flow Control Window
          × Sends multiple WINDOW_UPDATE frames on a connection increasing the flow control window to above 2^31-1
            - The endpoint MUST sends a GOAWAY frame with a FLOW_CONTROL_ERROR code.
              Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR)
                Actual: Test timeout
    
        6.9.2. Initial Flow Control Window Size
          × Sends a SETTINGS_INITIAL_WINDOW_SIZE settings with an exceeded maximum window size value
            - The endpoint MUST respond with a connection error of type FLOW_CONTROL_ERROR.
              Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR)
                        Connection close
                Actual: GOAWAY frame (Length: 35, Flags: 0, ErrorCode: NO_ERROR)
    
      6.10. CONTINUATION
        × Sends multiple CONTINUATION frames
          - The endpoint must accept the frames.
            Expected: HEADERS frame
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a CONTINUATION frame followed by any frame other than CONTINUATION
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a CONTINUATION frame followed by a frame on a different stream
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a CONTINUATION frame with the stream identifier that is 0x0
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
        × Sends a CONTINUATION frame after the frame other than HEADERS, PUSH_PROMISE or CONTINUATION
          - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
      8.1. HTTP Request/Response Exchange
        × Sends a HEADERS frame containing trailer part
          - The endpoint should respond with HEADERS frame.
            Expected: HEADERS frame (Flags: 1)
              Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
        8.1.2. HTTP Header Fields
          × Sends a HEADERS frame that contains the header field name in uppercase letters
            - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
              Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                        RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                        Connection close
                Actual: PING frame (Length: 8, Flags: 0)
    
          8.1.2.1. Pseudo-Header Fields
            × Sends a HEADERS frame that contains the pseudo-header field defined for response
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame that contains the invalid pseudo-header field
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame that contains a pseudo-header field that appears in a header block after a regular header field
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR)
    
          8.1.2.2. Connection-Specific Header Fields
            × Sends a HEADERS frame that contains the connection-specific header field
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame that contains the TE header field that contain any value other than "trailers"
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
    
          8.1.2.3. Request Pseudo-Header Fields
            × Sends a HEADERS frame that omits mandatory pseudo-header fields
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame containing more than one pseudo-header fields with the same name
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
    
          8.1.2.6. Malformed Requests and Responses
            × Sends a HEADERS frame that contains the "content-length" header field which does not equal the sum of the DATA frame payload lengths
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
            × Sends a HEADERS frame that contains the "content-length" header field which does not equal the sum of the multiple DATA frame payload lengths
              - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR.
                Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                          RST_STREAM frame (ErrorCode: PROTOCOL_ERROR)
                          Connection close
                  Actual: PING frame (Length: 8, Flags: 0)
    
      8.2. Server Push
        × Sends a PUSH_PROMISE frame
          - The endpoint MUST treat the receipt of a PUSH_PROMISE frame as a connection error of type PROTOCOL_ERROR.
            Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR)
                      Connection close
              Actual: GOAWAY frame (Length: 32, Flags: 0, ErrorCode: NO_ERROR)
    
     
    Last edited: Aug 13, 2015
  6. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Doing cipherscan and testssl tests against centminmod.com running HTTP/2 patched Nginx

    Code:
    cipherscan centminmod.com:443
    .....................
    Target: centminmod.com:443
    
    prio  ciphersuite                  protocols              pfs                 curves
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                ECDH,P-256,256bits  prime256v1
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,2048bits         None
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,2048bits         None
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
    10    DHE-RSA-AES128-SHA256        TLSv1.2                DH,2048bits         None
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    12    DHE-RSA-AES256-SHA256        TLSv1.2                DH,2048bits         None
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
    14    AES128-GCM-SHA256            TLSv1.2                None                None
    15    AES256-GCM-SHA384            TLSv1.2                None                None
    16    AES128-SHA256                TLSv1.2                None                None
    17    AES256-SHA256                TLSv1.2                None                None
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
    20    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  None                None
    
    Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
    TLS ticket lifetime hint: 3600
    OCSP stapling: supported
    Cipher ordering: server
    
    Fallbacks required:
    big-SSLv3 config not supported, connection failed
    big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA
    big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA
    big-TLSv1.2 no fallback req, connected: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305
    Code:
    testssl centminmod.com:443       
    No mapping file found
    
    ###########################################################
        testssl       2.6rc1 from https://testssl.sh/dev/
        (1.343 2015/08/12 11:58:44)
    
          This program is free software. Distribution and
                 modification under GPLv2 permitted.
          USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!
    
           Please file bugs @ https://testssl.sh/bugs/
    
    ###########################################################
    
    Using "OpenSSL 1.0.2-chacha (1.0.2e-dev)" [~181 ciphers] on
    43b1c7a4c5d5:/usr/local/http2-15/bin/openssl
    (built: "reproducible build, date unspecified", platform: "linux-x86_64")
    
    
    Testing now (2015-08-13 09:56) ---> 162.211.65.18:443 (centminmod.com) <---
    
    rDNS (162.211.65.18):   centminmod.com.
    Service detected:       HTTP
    
    --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   http/1.1 (advertised)
    
    --> Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            not offered (OK)
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           offered (NOT ok)
    High grade encryption        offered (OK)
    
    --> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
    
    PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA
    
    --> Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH
    Cipher order
         TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA
         TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA
         TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA
         http/1.1:  ECDHE-RSA-CHACHA20-POLY1305
    
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        renegotiation info, EC point formats, session ticket, status request
    Session Tickets RFC 5077     3600 seconds
    Server key size              2048 bit
    Signature Algorithm          SHA256 with RSA
    Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                                  SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
    Common Name (CN)             *.centminmod.com (CN in response to request w/o SNI: *.centminmod.com)
    subjectAltName (SAN)         *.centminmod.com centminmod.com
    Issuer                       COMODO RSA Domain Validation Secure Server CA (COMODO CA Limited from GB)
    EV cert (experimental)       no
    Certificate Expiration       >= 60 days (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                offered
    TLS timestamp                random values, no fingerprinting possible
    
    
    --> Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              0 sec from localtime
    Strict Transport Security    --
    Public Key Pinning           --
    Server banner                nginx centminmod
    Application banner           --
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner        --
    
    --> Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK)
    CCS (CVE-2014-0224)                       not vulnerable (OK)
    Secure Renegotiation (CVE 2009-3555)      not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587)                    NOT ok: uses gzip HTTP compression (only "/" tested)
    POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
    FREAK (CVE-2015-0204), experimental       not vulnerable (OK)
    LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. "testssl -E" spots candidates
    BEAST (CVE-2011-3389)                     TLS1: DES-CBC3-SHA
                                               -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
    RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
    --> Testing all locally available 181 ciphers against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
    -----------------------------------------------------------------------------------------------------------------------
    xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH 256   ChaCha20   256       
    xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256       
    xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256       
    xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256       
    x9f     DHE-RSA-AES256-GCM-SHA384      DH 2048    AESGCM     256       
    x6b     DHE-RSA-AES256-SHA256          DH 2048    AES        256       
    x39     DHE-RSA-AES256-SHA             DH 2048    AES        256       
    x9d     AES256-GCM-SHA384              RSA        AESGCM     256       
    x3d     AES256-SHA256                  RSA        AES        256       
    x35     AES256-SHA                     RSA        AES        256       
    xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128       
    xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128       
    xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128       
    x9e     DHE-RSA-AES128-GCM-SHA256      DH 2048    AESGCM     128       
    x67     DHE-RSA-AES128-SHA256          DH 2048    AES        128       
    x33     DHE-RSA-AES128-SHA             DH 2048    AES        128       
    x9c     AES128-GCM-SHA256              RSA        AESGCM     128       
    x3c     AES128-SHA256                  RSA        AES        128       
    x2f     AES128-SHA                     RSA        AES        128       
    x0a     DES-CBC3-SHA                   RSA        3DES       168          
     
  7. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Actually if you look at H2Check - usage share of the top ranking Alexa sites all the top sites are detected with h2-14 or h2-15 for HTTP/2 draft 14 or 15 protocol but none are for final h2 protocol which google.com supports as well the drafts. So could be case of h2check.org not checking for h2 ?

    Code:
     nghttp -nv https://google.com:443
    [  0.026] Connected
    The negotiated protocol: h2
     
  8. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Last edited: Aug 14, 2015
  9. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  10. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  11. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    heads up version 2 of the Nginx HTTP/2 patch was released Index of /patches/http2/ :)

    Code:
    2015-08-14 Version 2 (NGINX 1.9.3)
    - Introduced NPN support for HTTP/2 negotiation (this reduces OpenSSL version
       requirement to 1.0.1+);
    - Various fixes in the prioritization mechanism;
    - Fixed missing "Location" response header in some configurations;
    - Fixed processing of the ":authority" pseudo-header (the HTTP/2 analog of
       the "Host" header).
    
    2015-08-05 Version 1 (NGINX 1.9.3)
    The first public alpha release.
    centmin mod 123.09beta01 has been updated to ensure latest Nginx patch is applied each time you run Nginx upgrade/recompile via centmin.sh menu option 4 update inc/nginx_upgrade.inc ensure latest HTTP/2 patch applied · centminmod/centminmod@26a6138 · GitHub

    Nginx HTTP/2 version 2 patch fixed my Nginx HTTP/2 + ngx_pagespeed issues !

    Working now :)

    Code:
    nghttp -nas https://centminmod.com:443
    ***** Statistics *****
    
    Request timing:
      responseEnd: the  time  when  last  byte of  response  was  received
                   relative to connectEnd
    requestStart: the time  just before  first byte  of request  was sent
                   relative  to connectEnd.   If  '*' is  shown, this  was
                   pushed by server.
          process: responseEnd - requestStart
             code: HTTP status code
             size: number  of  bytes  received as  response  body  without
                   inflation.
              URI: request URI
    
    see http://www.w3.org/TR/resource-timing/#processing-model
    
    sorted by 'complete'
    
    id  responseEnd requestStart  process code size request path
    13    +80.22ms       +532us  79.69ms  200  29K /
    15    +91.08ms     +66.98ms  24.10ms  200   9K /img/favicon.ico
    17   +125.17ms     +66.99ms  58.18ms  200  60K /css/A.localfonts.css+font-awesome.min.css+bootstrap.min.css+hover-dropdown-menu.css+icons-set8.css+animate.min.css+style.css+responsive.css+color.css,Mcc.FHj-r4A0cI.css.pagespeed.cf.YOn5Xvomna.css
    21   +141.41ms     +66.99ms  74.42ms  200   7K /js/hover-dropdown-menu.js+jquery.hover-dropdown-menu-addon.js+jquery.easing.1.3.js.pagespeed.jc.vy5S6wKQse.js
    25   +156.83ms     +67.03ms  89.81ms  200   6K /js/custom.js.pagespeed.jm.q-StvNlmtR.js
    19   +157.11ms     +66.99ms  90.11ms  200  38K /js/jquery.min.js+bootstrap.min.js.pagespeed.jc.Cd39AMnoIp.js
    23   +157.12ms     +67.02ms  90.09ms  200  24K /js/bootstrapValidator.min.js.pagespeed.jm.YU3KUlvaHb.js   
     
    Last edited: Aug 15, 2015
  12. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  13. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:31 AM
    Mainline
    10.2
    Looks like SPDY still much faster?
     
  14. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Maybe if you looking at ngx_pagespeed enabled numbers for Nginx HTTP/2 v2 patch vs SDY/3.1. probably need more successive/repeat tests for more accurate numbers given how ngx_pagespeed operates. For non-ngx-pagespeed numbers very close for Nginx HTTP/2 v2 patch 4.891s vs SDY/3.1 4.876s
     
  15. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    FYI, Nginx 1.9.4 seems to work fine with Nginx HTTP/2 alpha patch for 1.9.3 :)
     
  16. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Nginx HTTP/2 patch version 3 Re: HTTP/2: response is not gzip-compressed

    Code:
    2015-08-19 Version 3 (NGINX 1.9.4)
    - The gzip and gzip_static modules might not work with HTTP/2 requests;
    - Fixed processing of Cookie headers.
    
    2015-08-14 Version 2 (NGINX 1.9.3)
    - Introduced NPN support for HTTP/2 negotiation (this reduces OpenSSL version
       requirement to 1.0.1+);
    - Various fixes in the prioritization mechanism;
    - Fixed missing "Location" response header in some configurations;
    - Fixed processing of the ":authority" pseudo-header (the HTTP/2 analog of
       the "Host" header).
    
    2015-08-05 Version 1 (NGINX 1.9.3)
    The first public alpha release.
     
  17. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    Not sure if OCSP stapling is working with Nginx HTTP/2 patch ? from testssl tests it reports OCSP stapling not offered but SSL Labs says yes to OCSP

    Code:
    testssl https://centminmod.com:443
    Code:
    --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN)
    
    SSLv2      not offered (OK)
    SSLv3      not offered (OK)
    TLS 1      offered
    TLS 1.1    offered
    TLS 1.2    offered (OK)
    SPDY/NPN   h2, http/1.1 (advertised)
    
    --> Testing ~standard cipher lists
    
    Null Ciphers                 not offered (OK)
    Anonymous NULL Ciphers       not offered (OK)
    Anonymous DH Ciphers         not offered (OK)
    40 Bit encryption            not offered (OK)
    56 Bit encryption            not offered (OK)
    Export Ciphers (general)     not offered (OK)
    Low (<=64 Bit)               not offered (OK)
    DES Ciphers                  not offered (OK)
    Medium grade encryption      not offered (OK)
    Triple DES Ciphers           not offered (OK)
    High grade encryption        offered (OK)
    
    --> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here
    
    PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA
    
    --> Testing server preferences
    
    Has server cipher order?     yes (OK)
    Negotiated protocol          TLSv1.2
    Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH
    Cipher order
         TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA
         TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA
         TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA
         h2:        ECDHE-RSA-CHACHA20-POLY1305
         http/1.1:  ECDHE-RSA-CHACHA20-POLY1305
    
    Code:
    --> Testing server defaults (Server Hello)
    
    TLS server extensions        renegotiation info, EC point formats, session ticket
    Session Tickets RFC 5077     3600 seconds
    Server key size              2048 bit
    Signature Algorithm          SHA256 with RSA
    Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                                  SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
    Common Name (CN)             *.centminmod.com (CN in response to request w/o SNI: *.centminmod.com)
    subjectAltName (SAN)         *.centminmod.com centminmod.com
    Issuer                       COMODO RSA Domain Validation Secure Server CA (COMODO CA Limited from GB)
    EV cert (experimental)       no
    Certificate Expiration       >= 60 days (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
    # of certificates provided   3
    Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
    OCSP URI                     http://ocsp.comodoca.com
    OCSP stapling                not offered
    TLS timestamp                random values, no fingerprinting possible
    
    
    --> Testing HTTP header response @ "/"
    
    HTTP Status Code             200 OK
    HTTP clock skew              0 sec from localtime
    Strict Transport Security    --
    Public Key Pinning           --
    Server banner                nginx centminmod
    Application banner           --
    Cookie(s)                    (none issued at "/")
    Security headers             --
    Reverse Proxy banner        --
    
    --> Testing vulnerabilities
    
    Heartbleed (CVE-2014-0160)                not vulnerable (OK)
    CCS (CVE-2014-0224)                       not vulnerable (OK)
    Secure Renegotiation (CVE 2009-3555)      not vulnerable (OK)
    Secure Client-Initiated Renegotiation     not vulnerable (OK)
    CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
    BREACH (CVE-2013-3587)                    NOT ok: uses gzip HTTP compression (only "/" tested)
    POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
    TLS_FALLBACK_SCSV (RFC 7507)              Downgrade attack prevention supported (OK)
    FREAK (CVE-2015-0204), experimental       not vulnerable (OK)
    LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. "testssl -E" spots candidates
    BEAST (CVE-2011-3389)                     no CBC ciphers for TLS1 (OK)
    RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)
    
    --> Testing all locally available 181 ciphers against the server, ordered by encryption strength
    
    Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits        Cipher Suite Name (RFC)
    -----------------------------------------------------------------------------------------------------------------------
    xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH 256   ChaCha20   256       
    xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256       
    xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256       
    xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256       
    x9f     DHE-RSA-AES256-GCM-SHA384      DH 2048    AESGCM     256       
    x6b     DHE-RSA-AES256-SHA256          DH 2048    AES        256       
    x39     DHE-RSA-AES256-SHA             DH 2048    AES        256       
    x9d     AES256-GCM-SHA384              RSA        AESGCM     256       
    x3d     AES256-SHA256                  RSA        AES        256       
    x35     AES256-SHA                     RSA        AES        256       
    xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128       
    xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128       
    xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128       
    x9e     DHE-RSA-AES128-GCM-SHA256      DH 2048    AESGCM     128       
    x67     DHE-RSA-AES128-SHA256          DH 2048    AES        128       
    x33     DHE-RSA-AES128-SHA             DH 2048    AES        128       
    x9c     AES128-GCM-SHA256              RSA        AESGCM     128       
    x3c     AES128-SHA256                  RSA        AES        128       
    x2f     AES128-SHA                     RSA        AES        128          
    however openssl cmd test reports it's working with OCSP stapling

    Code:
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
    Code:
    echo QUIT | openssl s_client -connect centminmod.com:443 -tls1 -tlsextdebug -status | grep -A17 'OCSP response:'   
    depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority
    verify error:num=20:unable to get local issuer certificate
    OCSP response:
    ======================================
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
        Produced At: Aug 23 10:54:27 2015 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9
          Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7
          Serial Number: 623CBC1C62FD9C08BD83C9F033B009C8
        Cert Status: good
        This Update: Aug 23 10:54:27 2015 GMT
        Next Update: Aug 27 10:54:27 2015 GMT
    
    DONE
    
    as does cipherscan test shows OCSP supported

    Code:
    cipherscan centminmod.com:443                          
    .....................
    Target: centminmod.com:443
    
    prio  ciphersuite                  protocols              pubkey_size  signature_algoritm       trusted  ticket_hint  ocsp_staple  pfs                 curves
    1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1
    2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1
    3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1
    4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         DH,2048bits         None
    5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         DH,2048bits         None
    6     ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1
    7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1
    8     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1
    9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         ECDH,P-256,256bits  prime256v1
    10    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         DH,2048bits         None
    11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         False        DH,2048bits         None
    12    DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         DH,2048bits         None
    13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         DH,2048bits         None
    14    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         None                None
    15    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         None                None
    16    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         None                None
    17    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  True     3600         True         None                None
    18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         None                None
    19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         None                None
    20    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  True     3600         True         None                None
    
    OCSP stapling: supported
    Cipher ordering: server
    
    Fallbacks required:
    big-SSLv3 config not supported, connection failed
    big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA
    big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA
    big-TLSv1.2 no fallback req, connected: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305
     
    Last edited: Aug 24, 2015
  18. rdan

    rdan Well-Known Member

    5,444
    1,408
    113
    May 25, 2014
    Ratings:
    +2,201
    Local Time:
    7:31 AM
    Mainline
    10.2
  19. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
  20. eva2000

    eva2000 Administrator Staff Member

    54,330
    12,198
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +18,763
    Local Time:
    9:31 AM
    Nginx 1.27.x
    MariaDB 10.x/11.4+
    4th Nginx HTTP/2 patch released Index of /patches/http2/

    Code:
    2015-08-31 Version 4 (NGINX 1.9.4)
    - Improved error handling;
    - Added the http2_max_field_size directive that limits the maximum size of
       a request header field (4096 bytes by default).
    
    2015-08-19 Version 3 (NGINX 1.9.4)
    - The gzip and gzip_static modules might not work with HTTP/2 requests;
    - Fixed processing of Cookie headers.
    
    2015-08-14 Version 2 (NGINX 1.9.3)
    - Introduced NPN support for HTTP/2 negotiation (this reduces OpenSSL version
       requirement to 1.0.1+);
    - Various fixes in the prioritization mechanism;
    - Fixed missing "Location" response header in some configurations;
    - Fixed processing of the ":authority" pseudo-header (the HTTP/2 analog of
       the "Host" header).
    
    2015-08-05 Version 1 (NGINX 1.9.3)
    The first public alpha release.