-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Kirill,
Is it a good idea to use TLS+gzip for dynamic services? http://breachattack.com/ ? - -chris On 5/8/19 08:27, Kirill Ilyukhin wrote: > Mark, > > Could you please take a closer look to the issue? This happens with > Safari and native apps on iOS 11 and iOS 12 which means that Tomcat > HTTP/2 cannot be enabled for any service with iOS clients. > > If we open https://www.google.com in Safari (both iOS and Mac OS), > we see that HTML and JS are received over HTTP/2 with GZIP > compression. So in general Safari supports HTTP/2+GZIP. Could it be > that Tomcat does some sort of HTTP/2+GZIP which conforms to all the > specs but somehow is "Apple-incompatible"? Do you think some > subtle changes (including crazy ones like headers order, etc) might > fix the issue? > > Thank you, Kirill > > On Wed, 8 May 2019 at 17:08, Mark Thomas <ma...@apache.org> wrote: > >> Although I find it hard to believe, this looks like a browser >> bug. There is a similar issue with FireFox: >> https://bz.apache.org/bugzilla/show_bug.cgi?id=63354 >> >> I suggest opening an issue with Apple. >> >> Mark >> >> >> >> On 08/05/2019 05:23, Kirill Ilyukhin wrote: >>> Hi, >>> >>> I am trying to run Tomcat with HTTP/2 support. Everything works >>> perfectly fine until I enable content compression. Google >>> Chrome on Mac OS is OK with gzip compression. Apple Safari on >>> Mac >> OS >>> and iOS fail with “The operation couldn’t be completed. >>> Protocol error” (NSPOSIXErrorDomain:100). iOS URLSession also >>> does not work. Is it something wrong with my configuration or >>> code? Please see below server setup, connector configuration >>> and servlet code. >>> >>> Server version: Apache Tomcat/8.5.39 Server built: Mar 14 >>> 2019 11:24:26 UTC Server number: 8.5.39.0 OS Name: Mac >>> OS X OS Version: 10.13.6 Architecture: x86_64 JVM >>> Version: 9.0.1+11 JVM Vendor: Oracle Corporation Loaded >>> APR based Apache Tomcat Native library [1.2.21] using APR >>> version [1.6.5]. APR capabilities: IPv6 [true], sendfile >>> [true], accept filters [false], random [true]. APR/OpenSSL >>> configuration: useAprConnector [false], useOpenSSL [true] >>> OpenSSL successfully initialized [OpenSSL 1.0.2r 26 Feb 2019] >>> The ["https-openssl-nio-8080"] connector has been configured to >>> support negotiation to [h2] via ALPN >>> >>> >>> <Connector port="8080" >>> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> asyncTimeout="20000" URIEncoding="utf-8" >>> acceptorThreadCount="1" >>> >>> >> compressibleMimeType="text/html,text/xml,text/plain,text/x-json,appli cation/javascript,application/json,text/css" >>> >> compression="force" >>> connectionTimeout="20000" minSpareThreads="2" >>> maxThreads="1024" processorCache="512" useSendfile="true" >>> SSLEnabled="true" secure="true" > <UpgradeProtocol >>> className="org.apache.coyote.http2.Http2Protocol" >>> >>> >> compressibleMimeType="text/html,text/xml,text/plain,text/x-json,appli cation/javascript,application/json,text/css" >>> >> compression="force" /> >>> <SSLHostConfig><Certificate certificateKeyFile="xxx" >>> certificateFile="yyy" certificateChainFile="zzz" type="RSA" >>> /></SSLHostConfig> </Connector> >>> >>> >>> public class TestServlet extends javax.servlet.http.HttpServlet >>> { protected void doGet(javax.servlet.http.HttpServletRequest >>> request, javax.servlet.http.HttpServletResponse response) >>> throws javax.servlet.ServletException, java.io.IOException { >>> response.setContentType("text/plain"); >>> response.setCharacterEncoding("utf-8"); >>> response.getWriter().write("Lorem ipsum dolor sit amet"); } } >>> >>> >>> Thank you, Kirill >>> >> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlzS/v4ACgkQHPApP6U8 pFiy+A/9H0nCzh6M26+BZgWkdEIsQHqRV9nmdsO/durBFKZdLQ0spexkf16JEltS cUdAwxu8ObIgBTIitXnr4Nh2hJVJCCUVpV33ZyuKuIeTfXJo4VSEP2pkIaveaKRz bXbo003Tt1jn6278EGEhAccad7y9IVg2Et7aOMbeuUShzsJPJNnZ7xOu1VWvXjuK if3sz2+IwD5ch9vNqICpwOAnXbC4hUVy5M5oeAPP96OhCSp8iv4Th+X4ir3f3Mbl s7c5m9vxfwHe/zIBBfksrWCRgm0iznrTsOzgXsqYuuxQujkcIOnslJehMhQ0vuYV gcbJW/CxQbxSsQZmBoyBI/DECdKr5uXKkUboVOz8YpISXJyyN6BLjy2h9jjUDNRQ HO8AaqrltGvFsD6A7vQPZDWEa8mXUUQsU8x4TDVcdNIhqg+OhbeabGDBf83RRHKs 1U4MDyqo+tBNd6GV/7vciBENgL5NxmQ8csfWISijyM2+MvG4ucgaRXCfZfDNX0Kr BRfoBeDKb7p+0XutxmpyjVh5VtBPD8Cy6xmJFu1Z6Q3OsLPnWZAk/fWQMUnIqBcX egrsOjsk/A1klxVsQ/EzIbNzRB6NpoT8n0hrWpX9IIo4kyplqAn+C9VKT5pi9j6G j0Pw6b9tKQKKTyXUkizELkbVbqngrp8wIY1QSopFEx5uS397KwE= =Ww2J -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org