Hi,
> for a test environment I successfully set up an nginx webserver (1.11.2) > with HTTP/2. > > But for further tests I need to decrypt traffic with wireshark using the > servers private key. The way to do this is to use keyfile from your browser, so wireshark is aware of the symmetric key used for the session. See [1] and [2]. > For that I need to disable forward secrecy (since it is only a test > environment security is not an issue) > > So I changed the "ssl_ciphers" in my /sites-enabled/default file from: > > ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; > into > ssl_ciphers "AES128-SHA"; This cannot work, HTTP/2.0 only always certain ciphers [3]. The fact the it works in Apache means Apache violates the RFC. Also see nginx manual [4]. Regards, Lukas [1] https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/ [2] https://wiki.wireshark.org/SSL [3] http://http2.github.io/http2-spec/#TLSUsage [4] http://nginx.org/en/docs/http/ngx_http_v2_module.html#example _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
