But H2Check - test your site for HTTP/2 support Doesn't detect HTTP/2.
indeed strange.. tested my h2o HTTP/2 server and yes H2Check reports HTTP/2 edit: emailed H2Check guys to report it
Strange that h2check.org doesn't report HTTP/2 for centminmod.com But using h2i tool to check HTTP/2 shows = Negotiated protocol "h2" test sslspdy.com Code: h2i sslspdy.com Connecting to sslspdy.com:443 ... Connected to 192.184.89.66:443 Negotiated protocol "h2" [FrameHeader SETTINGS len=18] [MAX_CONCURRENT_STREAMS = 128] [INITIAL_WINDOW_SIZE = 2147483647] [MAX_FRAME_SIZE = 16777215] [FrameHeader WINDOW_UPDATE len=4] Window-Increment = 2147418112 test centminmod.com Code: h2i centminmod.com Connecting to centminmod.com:443 ... Connected to 104.152.214.227:443 Negotiated protocol "h2" [FrameHeader SETTINGS len=18] [MAX_CONCURRENT_STREAMS = 128] [INITIAL_WINDOW_SIZE = 2147483647] [MAX_FRAME_SIZE = 16777215] [FrameHeader WINDOW_UPDATE len=4] Window-Increment = 2147418112 test google.com Code: h2i google.com Connecting to google.com:443 ... Connected to 216.58.192.14:443 Negotiated protocol "h2" [FrameHeader SETTINGS len=18] [MAX_CONCURRENT_STREAMS = 100] [INITIAL_WINDOW_SIZE = 1048576] [MAX_FRAME_SIZE = 16384] [FrameHeader WINDOW_UPDATE len=4] Window-Increment = 983041 Ah i see Nginx HTTP/2 advertises the h2 protocol and not h2-14 draft, so need to check for h2 = ALPN protocol: h2 Code: openssl s_client -alpn h2 -host sslspdy.com -port 443 New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE ALPN protocol: h2 SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-CHACHA20-POLY1305 Code: openssl s_client -alpn h2 -host centminmod.com -port 443 New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-CHACHA20-POLY1305 Server public key is 256 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE ALPN protocol: h2 SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-ECDSA-CHACHA20-POLY1305 Code: openssl s_client -alpn h2 -host google.com -port 443 New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE ALPN protocol: h2 SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-CHACHA20-POLY1305 checking HTTP/2 headers via curl 7.43+ for added --http2 support + nghttp support which custom 7.43+ rpm linked below actually does not have. Code: curl -I --http2 https://centminmod.com -v * Rebuilt URL to: https://centminmod.com/ * Trying 104.152.214.227... * Connected to centminmod.com (104.152.214.227) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/certs/ca-certificates.crt CApath: none * TLSv1.2 (OUT), TLS header, Certificate Status (22): * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Client hello (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Client hello (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 * ALPN, server accepted to use h2 * Server certificate: * subject: OU=Domain Control Validated; OU=GGSSL Wildcard SSL; CN=*.centminmod.com * start date: 2014-08-14 00:00:00 GMT * expire date: 2017-08-13 23:59:59 GMT * subjectAltName: centminmod.com matched * issuer: C=GB; ST=Greater Manchester; L=Salford; O=COMODO CA Limited; CN=COMODO RSA Domain Validation Secure Server CA * SSL certificate verify ok. * Using HTTP2, server supports multi-use * Connection state changed (HTTP/2 confirmed) * Using Stream ID: 1 (easy handle 0x117f5a0) > HEAD / HTTP/1.1 > Host: centminmod.com > User-Agent: curl/7.43.0-DEV > Accept: */* > * http2_recv: 16384 bytes buffer at 0x117fef0 (stream 1) * Connection state changed (MAX_CONCURRENT_STREAMS updated)! * http2_recv: 16384 bytes buffer at 0x117fef0 (stream 1) * http2_recv: 16384 bytes buffer at 0x117fef0 (stream 1) * http2_recv: returns 247 for stream 1 < HTTP/2.0 200 HTTP/2.0 200 < content-type:text/html; charset=utf-8 content-type:text/html; charset=utf-8 < vary:Accept-Encoding vary:Accept-Encoding < server:nginx centminmod server:nginx centminmod < alternate-protocol:443:npn-spdy/3 alternate-protocol:443:npn-spdy/3 < date:Wed, 12 Aug 2015 09:45:55 GMT date:Wed, 12 Aug 2015 09:45:55 GMT < x-page-speed:centminmod.com PageSpeed x-page-speed:centminmod.com PageSpeed < cache-control:max-age=0, no-cache cache-control:max-age=0, no-cache < * Connection #0 to host centminmod.com left intact FYI, for Centmin Mod 123.09beta01 users, you need to use LibreSSL's openssl binary for -alpn support i.e. Code: /opt/libressl/bin/openssl s_client -alpn h2 -host sslspdy.com -port 443 If you need curl 7.43+ then need custom rpm addon for Centmin Mod .08+ at Beta Branch - Centmin Mod .08 beta 03 addon - curl 7.43 custom rpms | Centmin Mod Community More tests with nghttp = The negotiated protocol: h2 = HTTP/2 for sslspdy.com Code: nghttp -nv https://sslspdy.com:443 [ 0.072] Connected The negotiated protocol: h2 [ 0.145] send SETTINGS frame <length=12, flags=0x00, stream_id=0> (niv=2) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535] [ 0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=3> (dep_stream_id=0, weight=201, exclusive=0) [ 0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=5> (dep_stream_id=0, weight=101, exclusive=0) [ 0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=7> (dep_stream_id=0, weight=1, exclusive=0) [ 0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=9> (dep_stream_id=7, weight=1, exclusive=0) [ 0.145] send PRIORITY frame <length=5, flags=0x00, stream_id=11> (dep_stream_id=3, weight=1, exclusive=0) [ 0.145] send HEADERS frame <length=39, flags=0x25, stream_id=13> ; END_STREAM | END_HEADERS | PRIORITY (padlen=0, dep_stream_id=11, weight=16, exclusive=0) ; Open new stream :method: GET :path: / :scheme: https :authority: sslspdy.com accept: */* accept-encoding: gzip, deflate user-agent: nghttp2/1.2.1-DEV [ 0.170] recv SETTINGS frame <length=18, flags=0x00, stream_id=0> (niv=3) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):128] [SETTINGS_INITIAL_WINDOW_SIZE(0x04):2147483647] [SETTINGS_MAX_FRAME_SIZE(0x05):16777215] [ 0.170] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0> (window_size_increment=2147418112) [ 0.170] send SETTINGS frame <length=0, flags=0x01, stream_id=0> ; ACK (niv=0) [ 0.208] recv SETTINGS frame <length=0, flags=0x01, stream_id=0> ; ACK (niv=0) [ 0.208] recv (stream_id=13) :status: 200 [ 0.208] recv (stream_id=13) server: nginx [ 0.208] recv (stream_id=13) date: Thu, 13 Aug 2015 08:40:25 GMT [ 0.208] recv (stream_id=13) content-type: text/html; charset=utf-8 [ 0.208] recv (stream_id=13) last-modified: Wed, 12 Aug 2015 03:31:16 GMT [ 0.208] recv (stream_id=13) vary: Accept-Encoding [ 0.208] recv (stream_id=13) etag: W/"55cabe04-2d4a" [ 0.208] recv (stream_id=13) expires: Fri, 14 Aug 2015 08:40:25 GMT [ 0.208] recv (stream_id=13) cache-control: max-age=86400 [ 0.208] recv (stream_id=13) strict-transport-security: max-age=31536000; includeSubdomains [ 0.208] recv (stream_id=13) cache-control: public, must-revalidate, proxy-revalidate [ 0.208] recv (stream_id=13) content-encoding: gzip [ 0.208] recv HEADERS frame <length=348, flags=0x04, stream_id=13> ; END_HEADERS (padlen=0) ; First response header [ 0.231] recv DATA frame <length=3881, flags=0x01, stream_id=13> ; END_STREAM [ 0.231] send GOAWAY frame <length=8, flags=0x00, stream_id=0> (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[]) for centminmod.com Code: nghttp -nv https://centminmod.com:443 [ 0.063] Connected The negotiated protocol: h2 [ 0.097] recv SETTINGS frame <length=18, flags=0x00, stream_id=0> (niv=3) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):128] [SETTINGS_INITIAL_WINDOW_SIZE(0x04):2147483647] [SETTINGS_MAX_FRAME_SIZE(0x05):16777215] [ 0.097] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0> (window_size_increment=2147418112) [ 0.097] send SETTINGS frame <length=12, flags=0x00, stream_id=0> (niv=2) [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100] [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535] [ 0.097] send SETTINGS frame <length=0, flags=0x01, stream_id=0> ; ACK (niv=0) [ 0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=3> (dep_stream_id=0, weight=201, exclusive=0) [ 0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=5> (dep_stream_id=0, weight=101, exclusive=0) [ 0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=7> (dep_stream_id=0, weight=1, exclusive=0) [ 0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=9> (dep_stream_id=7, weight=1, exclusive=0) [ 0.098] send PRIORITY frame <length=5, flags=0x00, stream_id=11> (dep_stream_id=3, weight=1, exclusive=0) [ 0.098] send HEADERS frame <length=41, flags=0x25, stream_id=13> ; END_STREAM | END_HEADERS | PRIORITY (padlen=0, dep_stream_id=11, weight=16, exclusive=0) ; Open new stream :method: GET :path: / :scheme: https :authority: centminmod.com accept: */* accept-encoding: gzip, deflate user-agent: nghttp2/1.2.1-DEV [ 0.113] recv SETTINGS frame <length=0, flags=0x01, stream_id=0> ; ACK (niv=0) [ 0.119] recv (stream_id=13) :status: 200 [ 0.119] recv (stream_id=13) content-type: text/html; charset=utf-8 [ 0.119] recv (stream_id=13) vary: Accept-Encoding [ 0.119] recv (stream_id=13) server: nginx centminmod [ 0.119] recv (stream_id=13) alternate-protocol: 443:npn-spdy/3 [ 0.119] recv (stream_id=13) date: Thu, 13 Aug 2015 08:41:14 GMT [ 0.119] recv (stream_id=13) x-page-speed: centminmod.com PageSpeed [ 0.119] recv (stream_id=13) cache-control: max-age=0, no-cache [ 0.119] recv (stream_id=13) content-encoding: gzip [ 0.119] recv HEADERS frame <length=237, flags=0x04, stream_id=13> ; END_HEADERS (padlen=0) ; First response header [ 0.119] recv DATA frame <length=8192, flags=0x00, stream_id=13> [ 0.119] recv DATA frame <length=2427, flags=0x01, stream_id=13> ; END_STREAM [ 0.119] send GOAWAY frame <length=8, flags=0x00, stream_id=0> (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[]) nghttp statistics for centminmod.com Code: nghttp -nas https://centminmod.com:443 ***** Statistics ***** Request timing: responseEnd: the time when last byte of response was received relative to connectEnd requestStart: the time just before first byte of request was sent relative to connectEnd. If '*' is shown, this was pushed by server. process: responseEnd - requestStart code: HTTP status code size: number of bytes received as response body without inflation. URI: request URI see http://www.w3.org/TR/resource-timing/#processing-model sorted by 'complete' id responseEnd requestStart process code size request path 13 +35.99ms +316us 35.67ms 200 10K / 15 +45.66ms +36.04ms 9.62ms 200 9K /img/favicon.ico 17 +46.15ms +36.05ms 10.10ms 200 1K /css/localfonts.css 19 +54.87ms +36.05ms 18.82ms 200 5K /css/font-awesome.min.css 21 +63.82ms +36.05ms 27.77ms 200 19K /css/bootstrap.min.css 23 +64.07ms +36.05ms 28.01ms 200 4K /css/hover-dropdown-menu.css 25 +64.12ms +36.05ms 28.06ms 200 569 /css/icons-set8.css 27 +70.11ms +36.06ms 34.05ms 200 3K /css/animate.min.css 29 +79.33ms +36.06ms 43.27ms 200 24K /css/style.css 31 +79.51ms +36.06ms 43.45ms 200 2K /css/responsive.css 33 +79.56ms +36.07ms 43.49ms 200 1K /css/color.css 35 +88.28ms +36.07ms 52.21ms 200 29K /js/jquery.min.js 37 +88.81ms +36.07ms 52.74ms 200 9K /js/bootstrap.min.js 39 +89.04ms +36.07ms 52.96ms 200 6K /js/hover-dropdown-menu.js 41 +89.07ms +36.07ms 52.99ms 200 985 /js/jquery.hover-dropdown-menu-addon.js 43 +89.10ms +36.07ms 53.02ms 200 797 /js/jquery.easing.1.3.js 47 +92.29ms +36.08ms 56.22ms 200 8K /js/custom.js 45 +101.77ms +36.08ms 65.69ms 200 25K /js/bootstrapValidator.min.js
Some HTTP/2 adoption rate statistics Usage Statistics of HTTP/2 for Websites, August 2015 Currently HTTP/2 is used by 1.1% of all web sites in w3techs.com database. Other data from daniel.haxx.se » The state and rate of HTTP/2 adoption
Running h2spec testing tool for HTTP/2 seems to hang on 4.2 Code: h2spec --version h2spec v1.1.1 h2spec against centminmod.com seems to hang at 4.2 Code: h2spec -h centminmod.com -p 443 -t 3.5. HTTP/2 Connection Preface ✓ Sends invalid connection preface 4.2. Frame Size Sends large size frame that exceeds the SETTINGS_MAX_FRAME_SIZE run testing against google.com Code: h2spec -h google.com -p 443 -t Code: 70 tests, 14 passed, 0 skipped, 56 failed Spoiler: h2spec result Code: h2spec -h google.com -p 443 -t 3.5. HTTP/2 Connection Preface ✓ Sends invalid connection preface 4.2. Frame Size × Sends large size frame that exceeds the SETTINGS_MAX_FRAME_SIZE - The endpoint MUST send a FRAME_SIZE_ERROR error. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) RST_STREAM frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 4.3. Header Compression and Decompression × Sends invalid header block fragment - The endpoint MUST terminate the connection with a connection error of type COMPRESSION_ERROR. Expected: GOAWAY frame (ErrorCode: COMPRESSION_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) ✓ Sends Dynamic Table Size Update (RFC 7541, 6.3) × Encodes Dynamic Table Size Update (RFC 7541, 6.3) after common header fields - The endpoint MUST terminate the connection with a connection error of type COMPRESSION_ERROR. Expected: GOAWAY frame (ErrorCode: COMPRESSION_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 5.1. Stream States × idle: Sends a DATA frame - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × idle: Sends a RST_STREAM frame - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × idle: Sends a WINDOW_UPDATE frame - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × idle: Sends a CONTINUATION frame - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × half closed (remote): Sends a DATA frame - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) Connection close Actual: PING frame (Length: 8, Flags: 0) × half closed (remote): Sends a HEADERS frame - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × half closed (remote): Sends a CONTINUATION frame - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × closed: Sends a CONTINUATION frame - The endpoint MUST treat this as a stream error (Section 5.4.2) of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 5.1.1. Stream Identifiers ✓ Sends even-numbered stream identifier 5.1.2. Stream Concurrency × Sends HEADERS frames that causes their advertised concurrent stream limit to be exceeded - The endpoint MUST treat this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR or REFUSED_STREAM Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) GOAWAY frame (ErrorCode: REFUSED_STREAM) RST_STREAM frame (ErrorCode: REFUSED_STREAM) Connection close Actual: HEADERS frame (Length: 21, Flags: 4) 5.3. Stream Priority 5.3.1. Stream Dependencies × Sends HEADERS frame that depend on itself - The endpoint MUST treat this as a stream error of type PROTOCOL_ERROR Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends PRIORITY frame that depend on itself - The endpoint MUST treat this as a stream error of type PROTOCOL_ERROR Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout 5.4. Error Handling 5.4.1. Connection Error Handling ✓ Receives a GOAWAY frame 5.5. Extending HTTP/2 ✓ Sends an unknown extension frame × Sends an unknown extension frame in the middle of a header block - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.1. DATA × Sends a DATA frame with 0x0 stream identifier - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × Sends a DATA frame on the stream that is not opend - The endpoint MUST respond with a stream error of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a DATA frame with invalid pad length - The endpoint MUST treat this as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.2. HEADERS × Sends a HEADERS frame followed by any frame other than CONTINUATION - The endpoint MUST treat the receipt of any other type of frame as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a HEADERS frame followed by a frame on a different stream - The endpoint MUST treat the receipt of a frame on a different stream as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a HEADERS frame with 0x0 stream identifier - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a HEADERS frame with invalid pad length - The endpoint MUST treat this as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout 6.3. PRIORITY × Sends a PRIORITY frame with 0x0 stream identifier - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a PRIORITY frame with a length other than 5 octets - The endpoint MUST respond with a stream error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) RST_STREAM frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.4. RST_STREAM × Sends a RST_STREAM frame with 0x0 stream identifier - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × Sends a RST_STREAM frame on a idle stream - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × Sends a RST_STREAM frame with a length other than 4 octets - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.5. SETTINGS ✓ Sends a SETTINGS frame × Sends a SETTINGS frame that is not a zero-length with ACK flag - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a SETTINGS frame with the stream identifier that is not 0x0 - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: SETTINGS frame (Length: 0, Flags: 1) × Sends a SETTINGS frame with a length other than a multiple of 6 octets - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.5.2. Defined SETTINGS Parameters × SETTINGS_ENABLE_PUSH (0x2): Sends the value other than 0 or 1 - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: SETTINGS frame (Length: 0, Flags: 1) × SETTINGS_INITIAL_WINDOW_SIZE (0x4): Sends the value above the maximum flow control window size - The endpoint MUST respond with a connection error of type FLOW_CONTROL_ERROR. Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR) Connection close Actual: GOAWAY frame (Length: 35, Flags: 0, ErrorCode: NO_ERROR) × SETTINGS_MAX_FRAME_SIZE (0x5): Sends the value below the initial value - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: SETTINGS frame (Length: 0, Flags: 1) × SETTINGS_MAX_FRAME_SIZE (0x5): Sends the value above the maximum allowed frame size - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: SETTINGS frame (Length: 0, Flags: 1) 6.7. PING ✓ Sends a PING frame ✓ Sends a PING frame with the stream identifier that is not 0x0 × Sends a PING frame with a length field value other than 8 - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.8. GOAWAY × Sends a GOAWAY frame with the stream identifier that is not 0x0 - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout 6.9. WINDOW_UPDATE ✓ Sends a WINDOW_UPDATE frame ✓ Sends a WINDOW_UPDATE frame with an flow control window increment of 0 ✓ Sends a WINDOW_UPDATE frame with an flow control window increment of 0 on a stream × Sends a WINDOW_UPDATE frame with a length other than a multiple of 4 octets - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.9.1. The Flow Control Window × Sends multiple WINDOW_UPDATE frames on a connection increasing the flow control window to above 2^31-1 - The endpoint MUST sends a GOAWAY frame with a FLOW_CONTROL_ERROR code. Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR) Actual: Test timeout ✓ Sends multiple WINDOW_UPDATE frames on a stream increasing the flow control window to above 2^31-1 6.9.2. Initial Flow Control Window Size × Sends a SETTINGS_INITIAL_WINDOW_SIZE settings with an exceeded maximum window size value - The endpoint MUST respond with a connection error of type FLOW_CONTROL_ERROR. Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR) Connection close Actual: GOAWAY frame (Length: 35, Flags: 0, ErrorCode: NO_ERROR) 6.10. CONTINUATION ✓ Sends a CONTINUATION frame × Sends multiple CONTINUATION frames - The endpoint must accept the frames. Expected: HEADERS frame Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a CONTINUATION frame followed by any frame other than CONTINUATION - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a CONTINUATION frame followed by a frame on a different stream - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a CONTINUATION frame with the stream identifier that is 0x0 - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a CONTINUATION frame after the frame other than HEADERS, PUSH_PROMISE or CONTINUATION - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 8.1. HTTP Request/Response Exchange ✓ Sends a HEADERS frame as HEAD request × Sends a HEADERS frame containing trailer part - The endpoint should respond with HEADERS frame. Expected: HEADERS frame (Flags: 1) Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 8.1.2. HTTP Header Fields × Sends a HEADERS frame that contains the header field name in uppercase letters - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 8.1.2.1. Pseudo-Header Fields × Sends a HEADERS frame that contains the pseudo-header field defined for response - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame that contains the invalid pseudo-header field - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame that contains a pseudo-header field that appears in a header block after a regular header field - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 8.1.2.2. Connection-Specific Header Fields × Sends a HEADERS frame that contains the connection-specific header field - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame that contains the TE header field that contain any value other than "trailers" - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 8.1.2.3. Request Pseudo-Header Fields × Sends a HEADERS frame that omits mandatory pseudo-header fields - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame containing more than one pseudo-header fields with the same name - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 8.1.2.6. Malformed Requests and Responses × Sends a HEADERS frame that contains the "content-length" header field which does not equal the sum of the DATA frame payload lengths - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame that contains the "content-length" header field which does not equal the sum of the multiple DATA frame payload lengths - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 8.2. Server Push × Sends a PUSH_PROMISE frame - The endpoint MUST treat the receipt of a PUSH_PROMISE frame as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 32, Flags: 0, ErrorCode: NO_ERROR) 70 tests, 14 passed, 0 skipped, 56 failed =============================================================================== Failed tests =============================================================================== 4.2. Frame Size × Sends large size frame that exceeds the SETTINGS_MAX_FRAME_SIZE - The endpoint MUST send a FRAME_SIZE_ERROR error. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) RST_STREAM frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 4.3. Header Compression and Decompression × Sends invalid header block fragment - The endpoint MUST terminate the connection with a connection error of type COMPRESSION_ERROR. Expected: GOAWAY frame (ErrorCode: COMPRESSION_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Encodes Dynamic Table Size Update (RFC 7541, 6.3) after common header fields - The endpoint MUST terminate the connection with a connection error of type COMPRESSION_ERROR. Expected: GOAWAY frame (ErrorCode: COMPRESSION_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 5.1. Stream States × idle: Sends a DATA frame - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × idle: Sends a RST_STREAM frame - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × idle: Sends a WINDOW_UPDATE frame - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × idle: Sends a CONTINUATION frame - The endpoint MUST treat this as a connection error (Section 5.4.1) of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × half closed (remote): Sends a DATA frame - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) Connection close Actual: PING frame (Length: 8, Flags: 0) × half closed (remote): Sends a HEADERS frame - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × half closed (remote): Sends a CONTINUATION frame - The endpoint MUST respond with a stream error (Section 5.4.2) of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × closed: Sends a CONTINUATION frame - The endpoint MUST treat this as a stream error (Section 5.4.2) of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 5.1.2. Stream Concurrency × Sends HEADERS frames that causes their advertised concurrent stream limit to be exceeded - The endpoint MUST treat this as a stream error (Section 5.4.2) of type PROTOCOL_ERROR or REFUSED_STREAM Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) GOAWAY frame (ErrorCode: REFUSED_STREAM) RST_STREAM frame (ErrorCode: REFUSED_STREAM) Connection close Actual: HEADERS frame (Length: 21, Flags: 4) 5.3. Stream Priority 5.3.1. Stream Dependencies × Sends HEADERS frame that depend on itself - The endpoint MUST treat this as a stream error of type PROTOCOL_ERROR Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends PRIORITY frame that depend on itself - The endpoint MUST treat this as a stream error of type PROTOCOL_ERROR Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout 5.5. Extending HTTP/2 × Sends an unknown extension frame in the middle of a header block - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.1. DATA × Sends a DATA frame with 0x0 stream identifier - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × Sends a DATA frame on the stream that is not opend - The endpoint MUST respond with a stream error of type STREAM_CLOSED. Expected: GOAWAY frame (ErrorCode: STREAM_CLOSED) RST_STREAM frame (ErrorCode: STREAM_CLOSED) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a DATA frame with invalid pad length - The endpoint MUST treat this as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.2. HEADERS × Sends a HEADERS frame followed by any frame other than CONTINUATION - The endpoint MUST treat the receipt of any other type of frame as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a HEADERS frame followed by a frame on a different stream - The endpoint MUST treat the receipt of a frame on a different stream as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a HEADERS frame with 0x0 stream identifier - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a HEADERS frame with invalid pad length - The endpoint MUST treat this as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout 6.3. PRIORITY × Sends a PRIORITY frame with 0x0 stream identifier - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a PRIORITY frame with a length other than 5 octets - The endpoint MUST respond with a stream error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) RST_STREAM frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.4. RST_STREAM × Sends a RST_STREAM frame with 0x0 stream identifier - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × Sends a RST_STREAM frame on a idle stream - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout × Sends a RST_STREAM frame with a length other than 4 octets - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.5. SETTINGS × Sends a SETTINGS frame that is not a zero-length with ACK flag - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a SETTINGS frame with the stream identifier that is not 0x0 - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: SETTINGS frame (Length: 0, Flags: 1) × Sends a SETTINGS frame with a length other than a multiple of 6 octets - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.5.2. Defined SETTINGS Parameters × SETTINGS_ENABLE_PUSH (0x2): Sends the value other than 0 or 1 - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: SETTINGS frame (Length: 0, Flags: 1) × SETTINGS_INITIAL_WINDOW_SIZE (0x4): Sends the value above the maximum flow control window size - The endpoint MUST respond with a connection error of type FLOW_CONTROL_ERROR. Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR) Connection close Actual: GOAWAY frame (Length: 35, Flags: 0, ErrorCode: NO_ERROR) × SETTINGS_MAX_FRAME_SIZE (0x5): Sends the value below the initial value - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: SETTINGS frame (Length: 0, Flags: 1) × SETTINGS_MAX_FRAME_SIZE (0x5): Sends the value above the maximum allowed frame size - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: SETTINGS frame (Length: 0, Flags: 1) 6.7. PING × Sends a PING frame with a length field value other than 8 - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.8. GOAWAY × Sends a GOAWAY frame with the stream identifier that is not 0x0 - The endpoint MUST respond with a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: Test timeout 6.9. WINDOW_UPDATE × Sends a WINDOW_UPDATE frame with a length other than a multiple of 4 octets - The endpoint MUST respond with a connection error of type FRAME_SIZE_ERROR. Expected: GOAWAY frame (ErrorCode: FRAME_SIZE_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 6.9.1. The Flow Control Window × Sends multiple WINDOW_UPDATE frames on a connection increasing the flow control window to above 2^31-1 - The endpoint MUST sends a GOAWAY frame with a FLOW_CONTROL_ERROR code. Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR) Actual: Test timeout 6.9.2. Initial Flow Control Window Size × Sends a SETTINGS_INITIAL_WINDOW_SIZE settings with an exceeded maximum window size value - The endpoint MUST respond with a connection error of type FLOW_CONTROL_ERROR. Expected: GOAWAY frame (ErrorCode: FLOW_CONTROL_ERROR) Connection close Actual: GOAWAY frame (Length: 35, Flags: 0, ErrorCode: NO_ERROR) 6.10. CONTINUATION × Sends multiple CONTINUATION frames - The endpoint must accept the frames. Expected: HEADERS frame Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a CONTINUATION frame followed by any frame other than CONTINUATION - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a CONTINUATION frame followed by a frame on a different stream - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a CONTINUATION frame with the stream identifier that is 0x0 - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) × Sends a CONTINUATION frame after the frame other than HEADERS, PUSH_PROMISE or CONTINUATION - The endpoint MUST treat as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 8.1. HTTP Request/Response Exchange × Sends a HEADERS frame containing trailer part - The endpoint should respond with HEADERS frame. Expected: HEADERS frame (Flags: 1) Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 8.1.2. HTTP Header Fields × Sends a HEADERS frame that contains the header field name in uppercase letters - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 8.1.2.1. Pseudo-Header Fields × Sends a HEADERS frame that contains the pseudo-header field defined for response - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame that contains the invalid pseudo-header field - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame that contains a pseudo-header field that appears in a header block after a regular header field - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 20, Flags: 0, ErrorCode: NO_ERROR) 8.1.2.2. Connection-Specific Header Fields × Sends a HEADERS frame that contains the connection-specific header field - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame that contains the TE header field that contain any value other than "trailers" - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 8.1.2.3. Request Pseudo-Header Fields × Sends a HEADERS frame that omits mandatory pseudo-header fields - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame containing more than one pseudo-header fields with the same name - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 8.1.2.6. Malformed Requests and Responses × Sends a HEADERS frame that contains the "content-length" header field which does not equal the sum of the DATA frame payload lengths - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) × Sends a HEADERS frame that contains the "content-length" header field which does not equal the sum of the multiple DATA frame payload lengths - The endpoint MUST respond with a stream error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) RST_STREAM frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: PING frame (Length: 8, Flags: 0) 8.2. Server Push × Sends a PUSH_PROMISE frame - The endpoint MUST treat the receipt of a PUSH_PROMISE frame as a connection error of type PROTOCOL_ERROR. Expected: GOAWAY frame (ErrorCode: PROTOCOL_ERROR) Connection close Actual: GOAWAY frame (Length: 32, Flags: 0, ErrorCode: NO_ERROR)
Doing cipherscan and testssl tests against centminmod.com running HTTP/2 patched Nginx Code: cipherscan centminmod.com:443 ..................... Target: centminmod.com:443 prio ciphersuite protocols pfs curves 1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits prime256v1 2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 3 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,2048bits None 5 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,2048bits None 6 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits prime256v1 7 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 8 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits prime256v1 9 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits prime256v1 10 DHE-RSA-AES128-SHA256 TLSv1.2 DH,2048bits None 11 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits None 12 DHE-RSA-AES256-SHA256 TLSv1.2 DH,2048bits None 13 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits None 14 AES128-GCM-SHA256 TLSv1.2 None None 15 AES256-GCM-SHA384 TLSv1.2 None None 16 AES128-SHA256 TLSv1.2 None None 17 AES256-SHA256 TLSv1.2 None None 18 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 None None 19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 None None 20 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 None None Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: 3600 OCSP stapling: supported Cipher ordering: server Fallbacks required: big-SSLv3 config not supported, connection failed big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA big-TLSv1.2 no fallback req, connected: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305 Code: testssl centminmod.com:443 No mapping file found ########################################################### testssl 2.6rc1 from https://testssl.sh/dev/ (1.343 2015/08/12 11:58:44) This program is free software. Distribution and modification under GPLv2 permitted. USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK! Please file bugs @ https://testssl.sh/bugs/ ########################################################### Using "OpenSSL 1.0.2-chacha (1.0.2e-dev)" [~181 ciphers] on 43b1c7a4c5d5:/usr/local/http2-15/bin/openssl (built: "reproducible build, date unspecified", platform: "linux-x86_64") Testing now (2015-08-13 09:56) ---> 162.211.65.18:443 (centminmod.com) <--- rDNS (162.211.65.18): centminmod.com. Service detected: HTTP --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN http/1.1 (advertised) --> Testing ~standard cipher lists Null Ciphers not offered (OK) Anonymous NULL Ciphers not offered (OK) Anonymous DH Ciphers not offered (OK) 40 Bit encryption not offered (OK) 56 Bit encryption not offered (OK) Export Ciphers (general) not offered (OK) Low (<=64 Bit) not offered (OK) DES Ciphers not offered (OK) Medium grade encryption not offered (OK) Triple DES Ciphers offered (NOT ok) High grade encryption offered (OK) --> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA --> Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH Cipher order TLSv1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA TLSv1.1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA DES-CBC3-SHA TLSv1.2: ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA DES-CBC3-SHA http/1.1: ECDHE-RSA-CHACHA20-POLY1305 --> Testing server defaults (Server Hello) TLS server extensions renegotiation info, EC point formats, session ticket, status request Session Tickets RFC 5077 3600 seconds Server key size 2048 bit Signature Algorithm SHA256 with RSA Fingerprint / Serial SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8 SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88 Common Name (CN) *.centminmod.com (CN in response to request w/o SNI: *.centminmod.com) subjectAltName (SAN) *.centminmod.com centminmod.com Issuer COMODO RSA Domain Validation Secure Server CA (COMODO CA Limited from GB) EV cert (experimental) no Certificate Expiration >= 60 days (2014-08-14 00:00 --> 2017-08-13 23:59 +0000) # of certificates provided 3 Certificate Revocation List http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl OCSP URI http://ocsp.comodoca.com OCSP stapling offered TLS timestamp random values, no fingerprinting possible --> Testing HTTP header response @ "/" HTTP Status Code 200 OK HTTP clock skew 0 sec from localtime Strict Transport Security -- Public Key Pinning -- Server banner nginx centminmod Application banner -- Cookie(s) (none issued at "/") Security headers -- Reverse Proxy banner -- --> Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK) CCS (CVE-2014-0224) not vulnerable (OK) Secure Renegotiation (CVE 2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) NOT ok: uses gzip HTTP compression (only "/" tested) POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) FREAK (CVE-2015-0204), experimental not vulnerable (OK) LOGJAM (CVE-2015-4000), experimental not vulnerable (OK), common primes not checked. "testssl -E" spots candidates BEAST (CVE-2011-3389) TLS1: DES-CBC3-SHA -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2 RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) --> Testing all locally available 181 ciphers against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) ----------------------------------------------------------------------------------------------------------------------- xcc13 ECDHE-RSA-CHACHA20-POLY1305 ECDH 256 ChaCha20 256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 x9d AES256-GCM-SHA384 RSA AESGCM 256 x3d AES256-SHA256 RSA AES 256 x35 AES256-SHA RSA AES 256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 x9c AES128-GCM-SHA256 RSA AESGCM 128 x3c AES128-SHA256 RSA AES 128 x2f AES128-SHA RSA AES 128 x0a DES-CBC3-SHA RSA 3DES 168
Actually if you look at H2Check - usage share of the top ranking Alexa sites all the top sites are detected with h2-14 or h2-15 for HTTP/2 draft 14 or 15 protocol but none are for final h2 protocol which google.com supports as well the drafts. So could be case of h2check.org not checking for h2 ? Code: nghttp -nv https://google.com:443 [ 0.026] Connected The negotiated protocol: h2
Added 6-way comparison test for Nginx HTTP/2 vs Nginx SPDY/3.1 vs Nginx HTTP/1.1 with/without ngx_pagespeed
heads up version 2 of the Nginx HTTP/2 patch was released Index of /patches/http2/ Code: 2015-08-14 Version 2 (NGINX 1.9.3) - Introduced NPN support for HTTP/2 negotiation (this reduces OpenSSL version requirement to 1.0.1+); - Various fixes in the prioritization mechanism; - Fixed missing "Location" response header in some configurations; - Fixed processing of the ":authority" pseudo-header (the HTTP/2 analog of the "Host" header). 2015-08-05 Version 1 (NGINX 1.9.3) The first public alpha release. centmin mod 123.09beta01 has been updated to ensure latest Nginx patch is applied each time you run Nginx upgrade/recompile via centmin.sh menu option 4 update inc/nginx_upgrade.inc ensure latest HTTP/2 patch applied · centminmod/centminmod@26a6138 · GitHub Nginx HTTP/2 version 2 patch fixed my Nginx HTTP/2 + ngx_pagespeed issues ! Working now Code: nghttp -nas https://centminmod.com:443 ***** Statistics ***** Request timing: responseEnd: the time when last byte of response was received relative to connectEnd requestStart: the time just before first byte of request was sent relative to connectEnd. If '*' is shown, this was pushed by server. process: responseEnd - requestStart code: HTTP status code size: number of bytes received as response body without inflation. URI: request URI see http://www.w3.org/TR/resource-timing/#processing-model sorted by 'complete' id responseEnd requestStart process code size request path 13 +80.22ms +532us 79.69ms 200 29K / 15 +91.08ms +66.98ms 24.10ms 200 9K /img/favicon.ico 17 +125.17ms +66.99ms 58.18ms 200 60K /css/A.localfonts.css+font-awesome.min.css+bootstrap.min.css+hover-dropdown-menu.css+icons-set8.css+animate.min.css+style.css+responsive.css+color.css,Mcc.FHj-r4A0cI.css.pagespeed.cf.YOn5Xvomna.css 21 +141.41ms +66.99ms 74.42ms 200 7K /js/hover-dropdown-menu.js+jquery.hover-dropdown-menu-addon.js+jquery.easing.1.3.js.pagespeed.jc.vy5S6wKQse.js 25 +156.83ms +67.03ms 89.81ms 200 6K /js/custom.js.pagespeed.jm.q-StvNlmtR.js 19 +157.11ms +66.99ms 90.11ms 200 38K /js/jquery.min.js+bootstrap.min.js.pagespeed.jc.Cd39AMnoIp.js 23 +157.12ms +67.02ms 90.09ms 200 24K /js/bootstrapValidator.min.js.pagespeed.jm.YU3KUlvaHb.js
Maybe if you looking at ngx_pagespeed enabled numbers for Nginx HTTP/2 v2 patch vs SDY/3.1. probably need more successive/repeat tests for more accurate numbers given how ngx_pagespeed operates. For non-ngx-pagespeed numbers very close for Nginx HTTP/2 v2 patch 4.891s vs SDY/3.1 4.876s
Nginx HTTP/2 patch version 3 Re: HTTP/2: response is not gzip-compressed Code: 2015-08-19 Version 3 (NGINX 1.9.4) - The gzip and gzip_static modules might not work with HTTP/2 requests; - Fixed processing of Cookie headers. 2015-08-14 Version 2 (NGINX 1.9.3) - Introduced NPN support for HTTP/2 negotiation (this reduces OpenSSL version requirement to 1.0.1+); - Various fixes in the prioritization mechanism; - Fixed missing "Location" response header in some configurations; - Fixed processing of the ":authority" pseudo-header (the HTTP/2 analog of the "Host" header). 2015-08-05 Version 1 (NGINX 1.9.3) The first public alpha release.
Not sure if OCSP stapling is working with Nginx HTTP/2 patch ? from testssl tests it reports OCSP stapling not offered but SSL Labs says yes to OCSP Code: testssl https://centminmod.com:443 Code: --> Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) SSLv2 not offered (OK) SSLv3 not offered (OK) TLS 1 offered TLS 1.1 offered TLS 1.2 offered (OK) SPDY/NPN h2, http/1.1 (advertised) --> Testing ~standard cipher lists Null Ciphers not offered (OK) Anonymous NULL Ciphers not offered (OK) Anonymous DH Ciphers not offered (OK) 40 Bit encryption not offered (OK) 56 Bit encryption not offered (OK) Export Ciphers (general) not offered (OK) Low (<=64 Bit) not offered (OK) DES Ciphers not offered (OK) Medium grade encryption not offered (OK) Triple DES Ciphers not offered (OK) High grade encryption offered (OK) --> Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here PFS is offered (OK) ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA --> Testing server preferences Has server cipher order? yes (OK) Negotiated protocol TLSv1.2 Negotiated cipher ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH Cipher order TLSv1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA TLSv1.1: ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA TLSv1.2: ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA h2: ECDHE-RSA-CHACHA20-POLY1305 http/1.1: ECDHE-RSA-CHACHA20-POLY1305 Code: --> Testing server defaults (Server Hello) TLS server extensions renegotiation info, EC point formats, session ticket Session Tickets RFC 5077 3600 seconds Server key size 2048 bit Signature Algorithm SHA256 with RSA Fingerprint / Serial SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8 SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88 Common Name (CN) *.centminmod.com (CN in response to request w/o SNI: *.centminmod.com) subjectAltName (SAN) *.centminmod.com centminmod.com Issuer COMODO RSA Domain Validation Secure Server CA (COMODO CA Limited from GB) EV cert (experimental) no Certificate Expiration >= 60 days (2014-08-14 00:00 --> 2017-08-13 23:59 +0000) # of certificates provided 3 Certificate Revocation List http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl OCSP URI http://ocsp.comodoca.com OCSP stapling not offered TLS timestamp random values, no fingerprinting possible --> Testing HTTP header response @ "/" HTTP Status Code 200 OK HTTP clock skew 0 sec from localtime Strict Transport Security -- Public Key Pinning -- Server banner nginx centminmod Application banner -- Cookie(s) (none issued at "/") Security headers -- Reverse Proxy banner -- --> Testing vulnerabilities Heartbleed (CVE-2014-0160) not vulnerable (OK) CCS (CVE-2014-0224) not vulnerable (OK) Secure Renegotiation (CVE 2009-3555) not vulnerable (OK) Secure Client-Initiated Renegotiation not vulnerable (OK) CRIME, TLS (CVE-2012-4929) not vulnerable (OK) BREACH (CVE-2013-3587) NOT ok: uses gzip HTTP compression (only "/" tested) POODLE, SSL (CVE-2014-3566) not vulnerable (OK) TLS_FALLBACK_SCSV (RFC 7507) Downgrade attack prevention supported (OK) FREAK (CVE-2015-0204), experimental not vulnerable (OK) LOGJAM (CVE-2015-4000), experimental not vulnerable (OK), common primes not checked. "testssl -E" spots candidates BEAST (CVE-2011-3389) no CBC ciphers for TLS1 (OK) RC4 (CVE-2013-2566, CVE-2015-2808) no RC4 ciphers detected (OK) --> Testing all locally available 181 ciphers against the server, ordered by encryption strength Hexcode Cipher Suite Name (OpenSSL) KeyExch. Encryption Bits Cipher Suite Name (RFC) ----------------------------------------------------------------------------------------------------------------------- xcc13 ECDHE-RSA-CHACHA20-POLY1305 ECDH 256 ChaCha20 256 xc030 ECDHE-RSA-AES256-GCM-SHA384 ECDH 256 AESGCM 256 xc028 ECDHE-RSA-AES256-SHA384 ECDH 256 AES 256 xc014 ECDHE-RSA-AES256-SHA ECDH 256 AES 256 x9f DHE-RSA-AES256-GCM-SHA384 DH 2048 AESGCM 256 x6b DHE-RSA-AES256-SHA256 DH 2048 AES 256 x39 DHE-RSA-AES256-SHA DH 2048 AES 256 x9d AES256-GCM-SHA384 RSA AESGCM 256 x3d AES256-SHA256 RSA AES 256 x35 AES256-SHA RSA AES 256 xc02f ECDHE-RSA-AES128-GCM-SHA256 ECDH 256 AESGCM 128 xc027 ECDHE-RSA-AES128-SHA256 ECDH 256 AES 128 xc013 ECDHE-RSA-AES128-SHA ECDH 256 AES 128 x9e DHE-RSA-AES128-GCM-SHA256 DH 2048 AESGCM 128 x67 DHE-RSA-AES128-SHA256 DH 2048 AES 128 x33 DHE-RSA-AES128-SHA DH 2048 AES 128 x9c AES128-GCM-SHA256 RSA AESGCM 128 x3c AES128-SHA256 RSA AES 128 x2f AES128-SHA RSA AES 128 however openssl cmd test reports it's working with OCSP stapling Code: OCSP Response Data: OCSP Response Status: successful (0x0) Code: echo QUIT | openssl s_client -connect centminmod.com:443 -tls1 -tlsextdebug -status | grep -A17 'OCSP response:' depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO RSA Certification Authority verify error:num=20:unable to get local issuer certificate OCSP response: ====================================== OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Produced At: Aug 23 10:54:27 2015 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 7AE13EE8A0C42A2CB428CBE7A605461940E2A1E9 Issuer Key Hash: 90AF6A3A945A0BD890EA125673DF43B43A28DAE7 Serial Number: 623CBC1C62FD9C08BD83C9F033B009C8 Cert Status: good This Update: Aug 23 10:54:27 2015 GMT Next Update: Aug 27 10:54:27 2015 GMT DONE as does cipherscan test shows OCSP supported Code: cipherscan centminmod.com:443 ..................... Target: centminmod.com:443 prio ciphersuite protocols pubkey_size signature_algoritm trusted ticket_hint ocsp_staple pfs curves 1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True ECDH,P-256,256bits prime256v1 2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True ECDH,P-256,256bits prime256v1 3 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True ECDH,P-256,256bits prime256v1 4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True DH,2048bits None 5 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True DH,2048bits None 6 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True ECDH,P-256,256bits prime256v1 7 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 3600 True ECDH,P-256,256bits prime256v1 8 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True ECDH,P-256,256bits prime256v1 9 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 3600 True ECDH,P-256,256bits prime256v1 10 DHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True DH,2048bits None 11 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 3600 False DH,2048bits None 12 DHE-RSA-AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True DH,2048bits None 13 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 3600 True DH,2048bits None 14 AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True None None 15 AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True None None 16 AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True None None 17 AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption True 3600 True None None 18 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 3600 True None None 19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 3600 True None None 20 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption True 3600 True None None OCSP stapling: supported Cipher ordering: server Fallbacks required: big-SSLv3 config not supported, connection failed big-TLSv1.0 no fallback req, connected: TLSv1 ECDHE-RSA-AES128-SHA big-TLSv1.1 no fallback req, connected: TLSv1.1 ECDHE-RSA-AES128-SHA big-TLSv1.2 no fallback req, connected: TLSv1.2 ECDHE-RSA-CHACHA20-POLY1305
can't compare GTMetric uses older Chrome 36 which doesn't support HTTP/2 - been asking them to update their Chrome browser for HTTP/2 support https://twitter.com/centminmod/status/617297829422239744
4th Nginx HTTP/2 patch released Index of /patches/http2/ Code: 2015-08-31 Version 4 (NGINX 1.9.4) - Improved error handling; - Added the http2_max_field_size directive that limits the maximum size of a request header field (4096 bytes by default). 2015-08-19 Version 3 (NGINX 1.9.4) - The gzip and gzip_static modules might not work with HTTP/2 requests; - Fixed processing of Cookie headers. 2015-08-14 Version 2 (NGINX 1.9.3) - Introduced NPN support for HTTP/2 negotiation (this reduces OpenSSL version requirement to 1.0.1+); - Various fixes in the prioritization mechanism; - Fixed missing "Location" response header in some configurations; - Fixed processing of the ":authority" pseudo-header (the HTTP/2 analog of the "Host" header). 2015-08-05 Version 1 (NGINX 1.9.3) The first public alpha release.