SSL Tools for debugging, testing & using HTTP/2 + Docker image

Cloudflare posted a new blog article outlining tools you can use to test, debug and use HTTP/2 with including nghttp2, h2i, h2spec, curl 7.43+ etc. It just happens I have been maintaining a Ubuntu Vivid based Docker image for nghttp2 client and majority of the HTTP/2 and TLS/SSL testing tools mentioned in the article along with additional cipherscan tool, testssl.sh tool, h2spec and ssllabs-scan tool etc at https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2/.

• Article Tools for debugging, testing and using HTTP/2
• Docker Ubuntu Vivid nghttp2 Image https://hub.docker.com/r/centminmod/docker-ubuntu-nghttp2/

The Ubuntu Vivid based nghttp2 Docker image was apart of my Centmin Mod Docker Developer forum work and learning so check out the forums

As part of the nghttp2 library and client bundle, there's a h2load tool. Think of it as a HTTP/2 version of apachebench or siege bench for stress and load testing HTTP/2 enabled sites over HTTP/2 client connections instead of HTTP/1.1. Documentation for h2load tool at https://nghttp2.org/documentation/h2load-howto.html

---

 

Example tools from my Ubuntu Vivid based Docker image for nghttp2 client, library and HTTP/2 bundled tools.

OpenSSL 1.02f dev build with chacha20 cipher patch support

Code:

/usr/local/http2-15/bin/openssl version
OpenSSL 1.0.2-chacha (1.0.2f-dev)

Code:

/usr/local/http2-15/bin/openssl ciphers -l -V "ALL:COMPLEMENTOFALL" | grep ChaCha
          0xCC,0x14 - ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=ChaCha20(256) Mac=AEAD
          0xCC,0x13 - ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA  Enc=ChaCha20(256) Mac=AEAD
          0xCC,0x15 - DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA  Enc=ChaCha20(256) Mac=AEAD

h2i

Code:

 h2i centminmod.com
Connecting to centminmod.com:443 ...
Connected to 162.211.65.18:443
Negotiated protocol "h2"
[FrameHeader SETTINGS len=18]
  [MAX_CONCURRENT_STREAMS = 128]
  [INITIAL_WINDOW_SIZE = 2147483647]
  [MAX_FRAME_SIZE = 16777215]
[FrameHeader WINDOW_UPDATE len=4]
  Window-Increment = 2147418112

h2i> quit

cipherscan

Code:

cipherscan centminmod.com
............................
Target: centminmod.com:443

prio  ciphersuite                  protocols              pfs                 curves
1     ECDHE-RSA-CHACHA20-POLY1305  TLSv1.2                ECDH,P-256,256bits  prime256v1
2     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits  prime256v1
3     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits  prime256v1
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,2048bits         None
5     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,2048bits         None
6     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits  prime256v1
7     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
8     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits  prime256v1
9     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits  prime256v1
10    DHE-RSA-AES128-SHA256        TLSv1.2                DH,2048bits         None
11    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
12    DHE-RSA-AES256-SHA256        TLSv1.2                DH,2048bits         None
13    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,2048bits         None
14    AES128-GCM-SHA256            TLSv1.2                None                None
15    AES256-GCM-SHA384            TLSv1.2                None                None
16    AES128-SHA256                TLSv1.2                None                None
17    AES256-SHA256                TLSv1.2                None                None
18    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None
19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  None                None

Certificate: trusted, 2048 bits, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 3600
OCSP stapling: supported
Cipher ordering: server
Curves ordering: server - fallback: no
Server supports secure renegotiation
Server supported compression methods: NONE
TLS Tolerance: yes

custom compiled curl 7.46 dev build with --http2 flag support via nghttp2 compilation

Code:

curl -V
curl 7.46.1-DEV (x86_64-unknown-linux-gnu) libcurl/7.46.1-DEV OpenSSL/1.0.2f zlib/1.2.8 libssh2/1.4.3 nghttp2/1.5.1-DEV
Protocols: dict file ftp ftps gopher http https imap imaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp
Features: AsynchDNS IPv6 Largefile NTLM NTLM_WB SSL libz TLS-SRP HTTP2 UnixSockets

Code:

curl --http2 -I https://centminmod.com
HTTP/2.0 200
content-type:text/html; charset=utf-8
vary:Accept-Encoding
server:nginx centminmod
x-powered-by:centminmod
public-key-pins:pin-sha256="oGbPgwR7vxLMpWdDIy+gc/Z0YD0EYCblHDCCgNQg9W8="; pin-sha256="KrRz+515ViRd/gdl7yGWCW1R4CFAAeMIBHp0JTNk8qc="; max-age=604800; includeSubDomains
date:Wed, 09 Dec 2015 05:14:41 GMT
x-page-speed:centminmod.com PageSpeed
cache-control:max-age=0, no-cache

nghttp2 client over HTTP/2

Code:

nghttp -nv https://centminmod.com:443
[  0.048] Connected
The negotiated protocol: h2
[  0.088] recv SETTINGS frame <length=18, flags=0x00, stream_id=0>
          (niv=3)
          [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):128]
          [SETTINGS_INITIAL_WINDOW_SIZE(0x04):2147483647]
          [SETTINGS_MAX_FRAME_SIZE(0x05):16777215]
[  0.088] recv WINDOW_UPDATE frame <length=4, flags=0x00, stream_id=0>
          (window_size_increment=2147418112)
[  0.089] send SETTINGS frame <length=12, flags=0x00, stream_id=0>
          (niv=2)
          [SETTINGS_MAX_CONCURRENT_STREAMS(0x03):100]
          [SETTINGS_INITIAL_WINDOW_SIZE(0x04):65535]
[  0.089] send SETTINGS frame <length=0, flags=0x01, stream_id=0>
          ; ACK
          (niv=0)
[  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=3>
          (dep_stream_id=0, weight=201, exclusive=0)
[  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=5>
          (dep_stream_id=0, weight=101, exclusive=0)
[  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=7>
          (dep_stream_id=0, weight=1, exclusive=0)
[  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=9>
          (dep_stream_id=7, weight=1, exclusive=0)
[  0.089] send PRIORITY frame <length=5, flags=0x00, stream_id=11>
          (dep_stream_id=3, weight=1, exclusive=0)
[  0.089] send HEADERS frame <length=41, flags=0x25, stream_id=13>
          ; END_STREAM | END_HEADERS | PRIORITY
          (padlen=0, dep_stream_id=11, weight=16, exclusive=0)
          ; Open new stream
          :method: GET
          :path: /
          :scheme: https
          :authority: centminmod.com
          accept: */*
          accept-encoding: gzip, deflate
          user-agent: nghttp2/1.5.1-DEV
[  0.112] recv SETTINGS frame <length=0, flags=0x01, stream_id=0>
          ; ACK
          (niv=0)
[  0.180] recv (stream_id=13) :status: 200
[  0.181] recv (stream_id=13) content-type: text/html; charset=utf-8
[  0.181] recv (stream_id=13) vary: Accept-Encoding
[  0.181] recv (stream_id=13) server: nginx centminmod
[  0.181] recv (stream_id=13) x-powered-by: centminmod
[  0.181] recv (stream_id=13) public-key-pins: pin-sha256="oGbPgwR7vxLMpWdDIy+gc/Z0YD0EYCblHDCCgNQg9W8="; pin-sha256="KrRz+515ViRd/gdl7yGWCW1R4CFAAeMIBHp0JTNk8qc="; max-age=604800; includeSubDomains
[  0.181] recv (stream_id=13) date: Wed, 09 Dec 2015 05:18:02 GMT
[  0.181] recv (stream_id=13) x-page-speed: centminmod.com PageSpeed
[  0.181] recv (stream_id=13) cache-control: max-age=0, no-cache
[  0.181] recv (stream_id=13) content-encoding: gzip
[  0.181] recv HEADERS frame <length=397, flags=0x04, stream_id=13>
          ; END_HEADERS
          (padlen=0)
          ; First response header
[  0.181] recv DATA frame <length=8192, flags=0x00, stream_id=13>
[  0.196] recv DATA frame <length=8192, flags=0x00, stream_id=13>
[  0.196] recv DATA frame <length=8192, flags=0x00, stream_id=13>
[  0.196] recv DATA frame <length=10, flags=0x00, stream_id=13>
[  0.196] recv DATA frame <length=6401, flags=0x01, stream_id=13>
          ; END_STREAM
[  0.196] send GOAWAY frame <length=8, flags=0x00, stream_id=0>
          (last_stream_id=0, error_code=NO_ERROR(0x00), opaque_data(0)=[])

nghttp2 client HTTP/2 statistics

Code:

nghttp -nas https://centminmod.com:443
***** Statistics *****

Request timing:
  responseEnd: the  time  when  last  byte of  response  was  received
               relative to connectEnd
requestStart: the time  just before  first byte  of request  was sent
               relative  to connectEnd.   If  '*' is  shown, this  was
               pushed by server.
      process: responseEnd - requestStart
         code: HTTP status code
         size: number  of  bytes  received as  response  body  without
               inflation.
          URI: request URI

see http://www.w3.org/TR/resource-timing/#processing-model

sorted by 'complete'

id  responseEnd requestStart  process code size request path
13    +80.40ms       +206us  80.19ms  200  30K /
15    +93.00ms     +65.64ms  27.36ms  200   9K /img/favicon.ico
19   +109.03ms     +65.65ms  43.38ms  200  38K /js/jquery.min.js+bootstrap.min.js.pagespeed.jc.Cd39AMnoIp.js
21   +109.36ms     +65.65ms  43.71ms  200   7K /js/hover-dropdown-menu.js+jquery.hover-dropdown-menu-addon.js+jquery.easing.1.3.js.pagespeed.jc.vy5S6wKQse.js
25   +124.13ms     +65.65ms  58.47ms  200   6K /js/custom.js.pagespeed.jm.q-StvNlmtR.js
23   +124.58ms     +65.65ms  58.93ms  200  24K /js/bootstrapValidator.min.js.pagespeed.jm.YU3KUlvaHb.js
17   +165.58ms     +65.65ms  99.93ms  200  60K /css/A.localfonts.css+font-awesome.min.css+bootstrap.min.css+hover-dropdown-menu.css+icons-set8.css+animate.min.css+style.css+responsive.css+color.css,Mcc.vO6cqnBPv1.css.pagespeed.cf.zQmJLucqr5.css

check for ALPN extension support in Nginx HTTP/2 in Centmin Mod LEMP stack on centminmod.com

Code:

/usr/local/http2-15/bin/openssl s_client -alpn h2 -host centminmod.com -port 443

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
ALPN protocol: h2

check for NPN extension support

Code:

/usr/local/http2-15/bin/openssl s_client -nextprotoneg h2 -host centminmod.com -port 443

---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
Next protocol: (1) h2
No ALPN negotiated

testssl

Code:

testssl centminmod.com:443

###########################################################
    testssl       2.7dev from https://testssl.sh/dev/
    (1.426 2015/12/08 16:50:57)

 Testing protocols (via sockets except TLS 1.2 and SPDY/NPN) 

 SSLv2      not offered (OK)
 SSLv3      not offered (OK)
 TLS 1      offered
 TLS 1.1    offered
 TLS 1.2    offered (OK)
 SPDY/NPN   h2, http/1.1 (advertised)

 Testing ~standard cipher lists 

 Null Ciphers                 not offered (OK)
 Anonymous NULL Ciphers       not offered (OK)
 Anonymous DH Ciphers         not offered (OK)
 40 Bit encryption            not offered (OK)
 56 Bit encryption            not offered (OK)
 Export Ciphers (general)     not offered (OK)
 Low (<=64 Bit)               not offered (OK)
 DES Ciphers                  not offered (OK)
 Medium grade encryption      not offered (OK)
 Triple DES Ciphers           not offered (OK)
 High grade encryption        offered (OK)

 Testing (perfect) forward secrecy, (P)FS -- omitting 3DES, RC4 and Null Encryption here 

 PFS is offered (OK)  ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA 

 Testing server preferences 

 Has server cipher order?     yes (OK)
 Negotiated protocol          TLSv1.2
 Negotiated cipher            ECDHE-RSA-CHACHA20-POLY1305, 256 bit ECDH
 Cipher order
     TLSv1:     ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA 
     TLSv1.1:   ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-SHA AES256-SHA 
     TLSv1.2:   ECDHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA 
     h2:        ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA 
     http/1.1:  ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA 

 Testing server defaults (Server Hello) 

 TLS server extensions (std)  "renegotiation info" "EC point formats" "session ticket" "status request" "next protocol" 
 Session Tickets RFC 5077     3600 seconds (PFS requires session ticket keys to be rotated <= daily)
 SSL Session ID support       yes
 Server key size              2048 bit
 Signature Algorithm          SHA256 with RSA
 Fingerprint / Serial         SHA1 8CCB5CAA6066F2321A6FE8ED37920B7687CFBE39 / 623CBC1C62FD9C08BD83C9F033B009C8
                              SHA256 F9B041F7F6ACB1503FB68592B7F0B972D47683402DA2A5D30BAFCF9B70405E88
 Common Name (CN)             "*.centminmod.com" (wildcard certificate match) (CN in response to request w/o SNI: "*.centminmod.com")
 subjectAltName (SAN)         "*.centminmod.com" "centminmod.com" 
 Issuer                       "COMODO RSA Domain Validation Secure Server CA" ("COMODO CA Limited" from "GB")
 EV cert (experimental)       no 
 Certificate Expiration       613 >= 60 days (2014-08-14 00:00 --> 2017-08-13 23:59 +0000)
 # of certificates provided   3
 Chain of trust (experim.)    "/usr/bin/etc/*.pem" cannot be found / not readable
 Certificate Revocation List  http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl
 OCSP URI                     http://ocsp.comodoca.com
 OCSP stapling                offered
 TLS timestamp                random values, no fingerprinting possible 

 Testing HTTP header response @ "/" 

 HTTP Status Code             200 OK
 HTTP clock skew              0 sec from localtime
 Strict Transport Security    --
 Public Key Pinning           # of keys: 2, 604800 s = 7 days (<30 days is not good enough), includeSubDomains
                              matching host key: oGbPgwR7vxLMpWdDIy+gc/Z0YD0EYCblHDCCgNQg9W8
 Server banner                nginx centminmod
 Application banner           X-Powered-By: centminmod
 Cookie(s)                    (none issued at "/")
 Security headers             --
 Reverse Proxy banner         --

 Testing vulnerabilities 

 Heartbleed (CVE-2014-0160)                not vulnerable (OK) (no heartbeat extension)
 CCS (CVE-2014-0224)                       not vulnerable (OK)
 Secure Renegotiation (CVE-2009-3555)      not vulnerable (OK)
 Secure Client-Initiated Renegotiation     not vulnerable (OK)
 CRIME, TLS (CVE-2012-4929)                not vulnerable (OK)
 BREACH (CVE-2013-3587)                    potentially NOT ok, uses gzip HTTP compression. - only supplied "/" tested
                                           Can be ignored for static pages or if no secrets in the page
 POODLE, SSL (CVE-2014-3566)               not vulnerable (OK)
 TLS_FALLBACK_SCSV (RFC 7507), experim.    Downgrade attack prevention supported (OK)
 FREAK (CVE-2015-0204)                     not vulnerable (OK)
 LOGJAM (CVE-2015-4000), experimental      not vulnerable (OK), common primes not checked. See below for any DH ciphers + bit size
 BEAST (CVE-2011-3389)                     TLS1: AES128-SHA DHE-RSA-AES128-SHA
                                                 AES256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES128-SHA
                                                 ECDHE-RSA-AES256-SHA
                                           VULNERABLE -- but also supports higher protocols (possible mitigation): TLSv1.1 TLSv1.2
 RC4 (CVE-2013-2566, CVE-2015-2808)        no RC4 ciphers detected (OK)

 Testing all 181 locally available ciphers against the server, ordered by encryption strength 

Hexcode  Cipher Suite Name (OpenSSL)    KeyExch.   Encryption Bits
-------------------------------------------------------------------------
 xcc13   ECDHE-RSA-CHACHA20-POLY1305    ECDH 256   ChaCha20   256                                                                                    
 xc030   ECDHE-RSA-AES256-GCM-SHA384    ECDH 256   AESGCM     256                                                                                    
 xc028   ECDHE-RSA-AES256-SHA384        ECDH 256   AES        256                                                                                    
 xc014   ECDHE-RSA-AES256-SHA           ECDH 256   AES        256                                                                                    
 x9f     DHE-RSA-AES256-GCM-SHA384      DH 2048    AESGCM     256                                                                                    
 x6b     DHE-RSA-AES256-SHA256          DH 2048    AES        256                                                                                    
 x39     DHE-RSA-AES256-SHA             DH 2048    AES        256                                                                                    
 x9d     AES256-GCM-SHA384              RSA        AESGCM     256                                                                                    
 x3d     AES256-SHA256                  RSA        AES        256                                                                                    
 x35     AES256-SHA                     RSA        AES        256                                                                                    
 xc02f   ECDHE-RSA-AES128-GCM-SHA256    ECDH 256   AESGCM     128                                                                                    
 xc027   ECDHE-RSA-AES128-SHA256        ECDH 256   AES        128                                                                                    
 xc013   ECDHE-RSA-AES128-SHA           ECDH 256   AES        128                                                                                    
 x9e     DHE-RSA-AES128-GCM-SHA256      DH 2048    AESGCM     128                                                                                    
 x67     DHE-RSA-AES128-SHA256          DH 2048    AES        128                                                                                    
 x33     DHE-RSA-AES128-SHA             DH 2048    AES        128                                                                                    
 x9c     AES128-GCM-SHA256              RSA        AESGCM     128                                                                                    
 x3c     AES128-SHA256                  RSA        AES        128                                                                                    
 x2f     AES128-SHA                     RSA        AES        128                                                                                    

 

h2load tool

h2load is apart of nghttp2 included tool set.

help file

Code:

h2load --help
Usage: h2load [OPTIONS]... [URI]...
benchmarking tool for HTTP/2 and SPDY server

  <URI>       Specify URI to access.   Multiple URIs can be specified.
              URIs are used  in this order for each  client.  All URIs
              are used, then  first URI is used and then  2nd URI, and
              so  on.  The  scheme, host  and port  in the  subsequent
              URIs, if present,  are ignored.  Those in  the first URI
              are used solely.  Definition of a base URI overrides all
              scheme, host or port values.
Options:
  -n, --requests=<N>
              Number of  requests across all  clients.  If it  is used
              with --timing-script-file option,  this option specifies
              the number of requests  each client performs rather than
              the number of requests across all clients.
              Default: 1
  -c, --clients=<N>
              Number  of concurrent  clients.   With  -r option,  this
              specifies the maximum number of connections to be made.
              Default: 1
  -t, --threads=<N>
              Number of native threads.
              Default: 1
  -i, --input-file=<PATH>
              Path of a file with multiple URIs are separated by EOLs.
              This option will disable URIs getting from command-line.
              If '-' is given as <PATH>, URIs will be read from stdin.
              URIs are used  in this order for each  client.  All URIs
              are used, then  first URI is used and then  2nd URI, and
              so  on.  The  scheme, host  and port  in the  subsequent
              URIs, if present,  are ignored.  Those in  the first URI
              are used solely.  Definition of a base URI overrides all
              scheme, host or port values.
  -m, --max-concurrent-streams=(auto|<N>)
              Max concurrent streams to  issue per session.  If "auto"
              is given, the number of given URIs is used.
              Default: auto
  -w, --window-bits=<N>
              Sets the stream level initial window size to (2**<N>)-1.
              For SPDY, 2**<N> is used instead.
              Default: 30
  -W, --connection-window-bits=<N>
              Sets  the  connection  level   initial  window  size  to
              (2**<N>)-1.  For SPDY, if <N>  is strictly less than 16,
              this option  is ignored.   Otherwise 2**<N> is  used for
              SPDY.
              Default: 30
  -H, --header=<HEADER>
              Add/Override a header to the requests.
  --ciphers=<SUITE>
              Set allowed  cipher list.  The  format of the  string is
              described in OpenSSL ciphers(1).
  -p, --no-tls-proto=<PROTOID>
              Specify ALPN identifier of the  protocol to be used when
              accessing http URI without SSL/TLS.
              Available protocols: spdy/2, spdy/3, spdy/3.1, h2c and
              http/1.1
              Default: h2c
  -d, --data=<PATH>
              Post FILE to  server.  The request method  is changed to
              POST.
  -r, --rate=<N>
              Specifies  the  fixed  rate  at  which  connections  are
              created.   The   rate  must   be  a   positive  integer,
              representing the  number of  connections to be  made per
              rate period.   The maximum  number of connections  to be
              made  is  given  in  -c   option.   This  rate  will  be
              distributed among  threads as  evenly as  possible.  For
              example,  with   -t2  and   -r4,  each  thread   gets  2
              connections per period.  When the rate is 0, the program
              will run  as it  normally does, creating  connections at
              whatever variable rate it  wants.  The default value for
              this option is 0.
  --rate-period=<DURATION>
              Specifies the time  period between creating connections.
              The period  must be a positive  number, representing the
              length of the period in time.  This option is ignored if
              the rate option is not used.  The default value for this
              option is 1s.
  -T, --connection-active-timeout=<DURATION>
              Specifies  the maximum  time that  h2load is  willing to
              keep a  connection open,  regardless of the  activity on
              said connection.  <DURATION> must be a positive integer,
              specifying the amount of time  to wait.  When no timeout
              value is  set (either  active or inactive),  h2load will
              keep  a  connection  open indefinitely,  waiting  for  a
              response.
  -N, --connection-inactivity-timeout=<DURATION>
              Specifies the amount  of time that h2load  is willing to
              wait to see activity  on a given connection.  <DURATION>
              must  be a  positive integer,  specifying the  amount of
              time  to wait.   When no  timeout value  is set  (either
              active or inactive), h2load  will keep a connection open
              indefinitely, waiting for a response.
  --timing-script-file=<PATH>
              Path of a file containing one or more lines separated by
              EOLs.  Each script line is composed of two tab-separated
              fields.  The first field represents the time offset from
              the start of execution, expressed as a positive value of
              milliseconds  with microsecond  resolution.  The  second
              field represents the URI.  This option will disable URIs
              getting from  command-line.  If '-' is  given as <PATH>,
              script lines will be read  from stdin.  Script lines are
              used in order for each client.   If -n is given, it must
              be less  than or  equal to the  number of  script lines,
              larger values are clamped to the number of script lines.
              If -n is not given,  the number of requests will default
              to the  number of  script lines.   The scheme,  host and
              port defined in  the first URI are  used solely.  Values
              contained  in  other  URIs,  if  present,  are  ignored.
              Definition of a  base URI overrides all  scheme, host or
              port values.
  -B, --base-uri=<URI>
              Specify URI from which the scheme, host and port will be
              used  for  all requests.   The  base  URI overrides  all
              values  defined either  at  the command  line or  inside
              input files.
  --npn-list=<LIST>
              Comma delimited list of  ALPN protocol identifier sorted
              in the  order of preference.  That  means most desirable
              protocol comes  first.  This  is used  in both  ALPN and
              NPN.  The parameter must be  delimited by a single comma
              only  and any  white spaces  are  treated as  a part  of
              protocol string.
              Default: h2,h2-16,h2-14,spdy/3.1,spdy/3,spdy/2,http/1.1
  --h1        Short        hand         for        --npn-list=http/1.1
              --no-tls-proto=http/1.1,    which   effectively    force
              http/1.1 for both http and https URI.
  -v, --verbose
              Output debug information.
  --version   Display version information and exit.
  -h, --help  Display this help and exit.

--

  The <DURATION> argument is an integer and an optional unit (e.g., 1s
  is 1 second and 500ms is 500 milliseconds).  Units are h, m, s or ms
  (hours, minutes, seconds and milliseconds, respectively).  If a unit
  is omitted, a second is used as unit.

Centmin Mod Nginx HTTP/2 Tests

Against centminmod.com

h2load test with 10 concurrent clients, 100 max concurrent streams and 100 requests against centminmod.com over HTTP/2 on port 443

Code:

/usr/local/bin/h2load -c10 -m100 -n10 -v https://centminmod.com:443                           
starting benchmark...
spawning thread #0: 10 total client(s). 10 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 741.63ms, 13.48 req/s, 1.90MB/s
requests: 10 total, 10 started, 10 done, 10 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 10 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 1480980 bytes total, 3740 bytes headers (space savings 0.53%), 1474860 bytes data
                     min         max         mean         sd        +/- sd
time for request:   156.19ms    652.72ms    418.38ms    159.59ms    60.00%
time for connect:    42.83ms     87.13ms     64.59ms     17.02ms    40.00%
time to 1st byte:   159.45ms    678.37ms    431.71ms    168.17ms    60.00%
req/s (client)  :       1.35        5.02        2.47        1.16    80.00%

Centmin Mod Nginx HTTP/2 Tests

h2load test against my Letsencrypt free SSL enabled Centmin Mod Nginx HTTP/2 server at le12.http2ssl.xyz:443

Code:

/usr/local/bin/h2load -c10 -m100 -n10 -v https://le12.http2ssl.xyz:443          
starting benchmark...
spawning thread #0: 10 total client(s). 10 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 78.89ms, 126.76 req/s, 263.42KB/s
requests: 10 total, 10 started, 10 done, 10 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 10 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 21280 bytes total, 2290 bytes headers (space savings 14.23%), 18320 bytes data
                     min         max         mean         sd        +/- sd
time for request:    12.18ms     15.28ms     13.97ms      1.27ms    60.00%
time for connect:    44.10ms     62.14ms     52.38ms      6.90ms    60.00%
time to 1st byte:    56.30ms     77.42ms     66.36ms      8.11ms    60.00%
req/s (client)  :      12.91       17.74       15.28        1.86    60.00%

Caddy HTTP/2 Tests

h2load test against my Letsencrypt free SSL enabled Caddy 0.80 HTTP/2 server at le12.http2ssl.xyz:445

Code:

/usr/local/bin/h2load -c10 -m100 -n10 -v https://le12.http2ssl.xyz:445
starting benchmark...
spawning thread #0: 10 total client(s). 10 total requests
TLS Protocol: TLSv1.2
Cipher: ECDHE-RSA-AES128-GCM-SHA256
Server Temp Key: ECDH P-256 256 bits
Application protocol: h2
progress: 10% done
progress: 20% done
progress: 30% done
progress: 40% done
progress: 50% done
progress: 60% done
progress: 70% done
progress: 80% done
progress: 90% done
progress: 100% done

finished in 105.26ms, 95.01 req/s, 181.85KB/s
requests: 10 total, 10 started, 10 done, 10 succeeded, 0 failed, 0 errored, 0 timeout
status codes: 10 2xx, 0 3xx, 0 4xx, 0 5xx
traffic: 19600 bytes total, 740 bytes headers (space savings 54.04%), 18320 bytes data
                     min         max         mean         sd        +/- sd
time for request:    12.46ms     15.64ms     13.57ms      1.07ms    70.00%
time for connect:    71.42ms     88.76ms     78.97ms      5.69ms    70.00%
time to 1st byte:    84.71ms    104.41ms     92.55ms      6.44ms    60.00%
req/s (client)  :       9.57       11.79       10.85        0.74    60.00%

note I had updated Centmin Mod Nginx to 1.9.8 too