[
https://issues.apache.org/jira/browse/HTTPCORE-785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Roy Hashimoto updated HTTPCORE-785:
-----------------------------------
Affects Version/s: 5.3.6
> TLS ALPN overrides FORCE_HTTP_1
> -------------------------------
>
> Key: HTTPCORE-785
> URL: https://issues.apache.org/jira/browse/HTTPCORE-785
> Project: HttpComponents HttpCore
> Issue Type: Bug
> Components: HttpCore
> Affects Versions: 5.3.5, 5.3.6
> Reporter: Roy Hashimoto
> Priority: Minor
>
> When I use a Conscrypt SSLContext, it always uses ALPN to negotiate HTTP2
> with clients even if version policy HttpVersion.FORCE_HTTP_1 is specified. My
> standalone Kotlin reproduction code is here:
> [https://github.com/rhashimoto/httpcore5-http1-repro/blob/master/src/main/kotlin/Main.kt]
>
> This Intellij project contains a self-signed X509 certificate resource with
> CN=localhost. It builds and starts a HTTPS server on port 8443.
>
> If I restrict curl 7.88.1 to use HTTP 1.1, things work as expected:
> {{$ curl -kv --http1.1 https://localhost:8443/}}
> {{* Trying 127.0.0.1:8443...}}
> {{* Connected to localhost (127.0.0.1) port 8443 (#0)}}
> {{* ALPN: offers http/1.1}}
> {{* TLSv1.3 (OUT), TLS handshake, Client hello (1):}}
> {{* TLSv1.3 (IN), TLS handshake, Server hello (2):}}
> {{* TLSv1.2 (IN), TLS handshake, Certificate (11):}}
> {{* TLSv1.2 (IN), TLS handshake, Server key exchange (12):}}
> {{* TLSv1.2 (IN), TLS handshake, Server finished (14):}}
> {{* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):}}
> {{* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):}}
> {{* TLSv1.2 (OUT), TLS handshake, Finished (20):}}
> {{* TLSv1.2 (IN), TLS handshake, Finished (20):}}
> {{* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256}}
> {{* ALPN: server accepted http/1.1}}
> {{* Server certificate:}}
> {{* subject: CN=localhost}}
> {{* start date: Sep 18 22:47:40 2025 GMT}}
> {{* expire date: Sep 16 22:47:40 2035 GMT}}
> {{* issuer: CN=localhost}}
> {{* SSL certificate verify result: self-signed certificate (18), continuing
> anyway.}}
> {{* using HTTP/1.1}}
> {{> GET / HTTP/1.1}}
> {{> Host: localhost:8443}}
> {{> User-Agent: curl/7.88.1}}
> {{> Accept: */*}}
> {{> }}
> {{< HTTP/1.1 200 OK}}
> {{< Date: Tue, 23 Sep 2025 18:01:18 GMT}}
> {{< Server: Apache-HttpCore/5.3.5 (Java/24.0.2)}}
> {{< Content-Length: 14}}
> {{< Content-Type: text/plain; charset=UTF-8}}
> {{< }}
> {{Hello, World!}}
> {{* Connection #0 to host localhost left intact}}
> But if I allow curl to negotiate the HTTP version, it chooses HTTP 2 by ALPN
> and fails:
> {{$ curl -kv https://localhost:8443/}}
> {{* Trying 127.0.0.1:8443...}}
> {{* Connected to localhost (127.0.0.1) port 8443 (#0)}}
> {{* ALPN: offers h2,http/1.1}}
> {{* TLSv1.3 (OUT), TLS handshake, Client hello (1):}}
> {{* TLSv1.3 (IN), TLS handshake, Server hello (2):}}
> {{* TLSv1.2 (IN), TLS handshake, Certificate (11):}}
> {{* TLSv1.2 (IN), TLS handshake, Server key exchange (12):}}
> {{* TLSv1.2 (IN), TLS handshake, Server finished (14):}}
> {{* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):}}
> {{* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):}}
> {{* TLSv1.2 (OUT), TLS handshake, Finished (20):}}
> {{* TLSv1.2 (IN), TLS handshake, Finished (20):}}
> {{* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256}}
> {{* ALPN: server accepted h2}}
> {{* Server certificate:}}
> {{* subject: CN=localhost}}
> {{* start date: Sep 18 22:47:40 2025 GMT}}
> {{* expire date: Sep 16 22:47:40 2035 GMT}}
> {{* issuer: CN=localhost}}
> {{* SSL certificate verify result: self-signed certificate (18), continuing
> anyway.}}
> {{* using HTTP/2}}
> {{* h2h3 [:method: GET]}}
> {{* h2h3 [:path: /]}}
> {{* h2h3 [:scheme: https]}}
> {{* h2h3 [:authority: localhost:8443]}}
> {{* h2h3 [user-agent: curl/7.88.1]}}
> {{* h2h3 [accept: */*]}}
> {{* Using Stream ID: 1 (easy handle 0x5619da01fce0)}}
> {{> GET / HTTP/2}}
> {{> Host: localhost:8443}}
> {{> user-agent: curl/7.88.1}}
> {{> accept: */*}}
> {{> }}
> {{* Empty reply from server}}
> {{* Closing connection 0}}
> {{curl: (52) Empty reply from server}}
> A workaround is to use BasicServerTlsStrategy to avoid ALPN.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
