NPN not working

[chani]

Just as the topic states, this is not working. By the way, your "live demo" page is as well not running spdy. If you check using google chrome you'll find out that spdy is not used nor available because the server is not announcing it due to missing NPN.

Same using: http://spdycheck.org/#blck.io (i need to reload that page a few times before it actually works)

Output for: blck.io "Missing NPN Extension in SSL/TLS Handshake

Sorry, but this server is not including an NPN Entension during the SSL/TLS handshake. The NPN Extension is an additional part of the SSL/TLS ServerHello message which allows web servers to tell browsers they support additional protocols, like SPDY. SSL/TLS servers that don't use send the NPN Extension cannot use SPDY because they have no way to tell the browser to use SPDY instead of HTTP."

How did you test that spdy works for you? :-)

[eousphoros]

Sorry, I updated ssl on that server and haven't got around to re-enabling spdy yet. Personal projects tend to suffer when paid work picks up. I'll try to get some time this week to get NPN/spdy back up online at blck.io. Though for a site that only I use. People sure care a lot about it. ;)

[v998]

@chani I'd like to know what's the Apache version you're using. It seems that this mod-spdy's NPN in 2.4.10 doesn't work.

[Kijewski]

If I get any response from this fine service, then it's Nothing listening on 443!.

You can confirm whether or not SPDY is used by the server with Firebug. Look if the headers contain the field "X-Firefox-Spdy". (E.g. not on blck.io.)

[chani]

@eousphoros sorry, I could have given more information, indeed. I've setup npn and spdy as written in your quick start guide. However, it seems that npn is not working properly. After hours of trying I did check your test page and since that didn't had spdy working neither I (shame on me) assumed you did something wrong claiming it works without proper checking.

@Kijewski I can only assume why that weird service does not work for you, however I did try with several tools (chrome has plugins which show you if spdy is enabled, chrome itself can show you your spdy sessions, as well - and yeah, I did try with firebug as well it's not working.) Anyway. For that specific service I think I got the same when I did not have a forward from http:// to https://, right after having that forward it did work. Probably I should setup such a test-page myself :^)

@v998 check below

Further information: Server version: Apache/2.4.7 (Ubuntu) Server built: Jul 22 2014 14:36:38

root@web2:~/mod-spdy/src# sha1sum mod_ssl.so a09d9edc42ea2ee7d5f40e6ecc29e8c30f831e5a mod_ssl.so root@web2:~/mod-spdy/src# sha1sum /usr/lib/apache2/modules/mod_ssl.so a09d9edc42ea2ee7d5f40e6ecc29e8c30f831e5a /usr/lib/apache2/modules/mod_ssl.so

ssl certificate in place (not a self-signed one) and working (green bar) spdy is enabled (globally AND in virtual host)

root@web2:~/mod-spdy/src# apachectl -M | grep "spdy|ssl" spdy_module (shared) ssl_module (shared)

[v998]

@chani would you please also give the results of ssllabs server test tail apache's error_log what's your OS, (eg. CentOS 6, Debian 7, Ubuntu 14.04)

[chani]

Overall Rating A- Certificate 100 Protocol Support 90 Key exchange 90 Cipher strength 90

The server does not support Forward Secrecy with the reference browsers. Grade reduced to A-. This site works only in browsers with SNI support. This server is not vulnerable to the Heartbleed attack. Experimental: This server is not vulnerable to the OpenSSL CCS vulnerability (CVE-2014-0224).

Something specific you're interested in? No word about spdy or npn in that list.

[v998]

@chani , there is Next Protocol Negotiation

[chani]

Next Protocol Negotiation Yes

[v998]

in mod-spdy directory, please

git branch

and post output

[chani]

yes, it's the master branch. Which one should I use? just noticed, there's one for 2.4.7.. Sorry. Trying..

[v998]

that's the reason, you are using Apache 2.4.7, but you built mod_ssl for apache 2.4.10.(which has issue with NPN, my experience) you should use the apache-2.4.7 branch

git clone https://github.com/eousphoros/mod-spdy.git --branch apache-2.4.7

and

git branch

make sure that gives out apache-2.4.7 then build, that mod_ssl should support NPN

[chani]

pebkac, sorry. It does work now. Thanks a lot @v998