Glad that Gregg pointed you the right way. Yes, I'll add that to the todos. There should be a better spec compliance check configurable in the server that gives at least logs for clients that do not comply and are turned down.
In the meantime, I have prepped a howto h2 to point people to in order to give/collect some advice. http://icing.github.io/mod_h2/howto.html That will, once stable become part of the official docs. > Am 10.10.2015 um 02:24 schrieb Jacob Champion <[email protected]>: > >> On 10/09/2015 05:11 PM, Gregg Smith wrote: >> I have no real recommendation for you but the RFC states all >> implementations must support >> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 or OpenSSL's equivalent >> ECDHE-RSA-AES128-GCM-SHA256. >> So it's a starting point. > > Perfect! After pulling it up front with > > SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:HIGH:MEDIUM:!MD5:!RC4 > > all appears to be working with Firefox. (Haven't figured out the nghttp > failure yet though.) Thanks Gregg! > > So, there's some feedback for the module then: that's a really strange > failure mode. It would be nice if something in the logs reflected the bad > cipher in use, and/or the documentation pointed this interaction out. (Or > maybe it already does and I just overlooked it?) > > --Jacob >
