Does this help? $ curl -v --http2 https://ServerAddressInQuesion/ > /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 23.94.173.87... * TCP_NODELAY set * Connected to onondagalibertarians.org (23.94.173.87) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): } [230 bytes data] * TLSv1.2 (IN), TLS handshake, Server hello (2): { [108 bytes data] * TLSv1.2 (IN), TLS handshake, Certificate (11): { [2818 bytes data] * TLSv1.2 (IN), TLS handshake, Server key exchange (12): { [333 bytes data] * TLSv1.2 (IN), TLS handshake, Server finished (14): { [4 bytes data] * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): } [70 bytes data] * TLSv1.2 (OUT), TLS change cipher, Client hello (1): } [1 bytes data] * TLSv1.2 (OUT), TLS handshake, Finished (20): } [16 bytes data] * TLSv1.2 (IN), TLS change cipher, Client hello (1): { [1 bytes data] * TLSv1.2 (IN), TLS handshake, Finished (20): { [16 bytes data] * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=ServerAddressInQuesion * start date: Apr 28 23:40:02 2018 GMT * expire date: Jul 27 23:40:02 2018 GMT * subjectAltName: host "ServerAddressInQuesion" matched cert's "ServerAddressInQuesion" * issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3 * SSL certificate verify ok. > GET / HTTP/1.1 > Host: ServerAddressInQuesion > User-Agent: curl/7.55.1 > Accept: */* > < HTTP/1.1 200 OK < Date: Fri, 20 Jul 2018 22:35:11 GMT < Server: Apache/2.4.25 (Debian) < Upgrade: h2,h2c < Connection: Upgrade < Set-Cookie: PHPSESSID=qdm1u9qfcj6fet1iv73og2kgf2; path=/ < Expires: Thu, 19 Nov 1981 08:52:00 GMT < Cache-Control: no-store, no-cache, must-revalidate < Pragma: no-cache < Link: <https://ServerAddressInQuesion/index.php?rest_route=/>; rel=" https://api.w.org/" < Link: <https://ServerAddressInQuesion>; rel=shortlink < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: text/html; charset=UTF-8 < { [6 bytes data] 100 35836 0 35836 0 0 35836 0 --:--:-- --:--:-- --:--:-- 84718 * Connection #0 to host ServerAddressInQuesion left intact
On Fri, Jul 20, 2018 at 6:06 PM, Sebastian Andrzej Siewior < sebast...@breakpoint.cc> wrote: > On 2018-07-20 17:16:40 [-0400], Mike Rotondo wrote: > > I expected an update to roll out that fixed the problem > > Thank you for the informative bug report. If I put the pieces correctly > together then since the point release you have your apache2 server not > serving ALPN/h2 but only "normal" http/1.1 as you put it. Am I correct? > > If so, then this bug should be moved to openssl1.0 because apache2 in > Stretch is using libssl1.0.2 and not libssl1.1. Other than that: Could > you please check if downgrading either apache2 or libssl1.0.2 helps? > The part that puzzles me most is that you received an update to > libssl1.0.2 (and libssl1.1) via the point release and not via security > which would be a good idea. Like *really* good idea. > > Now, if you downgrade I bet that downgrading apache2 helps. In that > case we could move that report over to apache or close it right away. I > speculate on apache because of this piece in its changelog [0]: > > |Unfortunately, this also removes support for http2 when running on > |mpm_prefork. > > [0] https://tracker.debian.org/news/969425/accepted-apache2- > 2425-3deb9u5-source-amd64-all-into-proposed-updates-stable- > new-proposed-updates/ > > Sebastian >