Server did not advertise SPDY protocol.

[szepeviktor]

Debian wheezy amd64, backported apache 2.4.10-6~bpo70+1+SID Compiled OK.

src/spdycat -nv https://www.domain.hu/
[  0.005] NPN select next protocol: the remote server offers:
Server did not advertise SPDY protocol.
error:140920E3:SSL routines:SSL3_GET_SERVER_HELLO:parse tlsext

Apache error log: AH01998: Connection closed to child 2 with abortive shutdown Tool: https://github.com/tatsuhiro-t/spdylay

Please advise.

[szepeviktor]

Forced SPDY v2:

src/spdycat -nv -2 https://www.atlantischild.hu/
[  0.007] NPN select next protocol: the remote server offers:
          NPN selected the protocol: spdy/2
[  0.023] Handshake complete
[  0.023] send SYN_STREAM frame <version=2, flags=1, length=187>
          (stream_id=1, assoc_stream_id=0, pri=3)
          :host: www.atlantischild.hu
          :method: GET
          :path: /
          :scheme: https
          :version: HTTP/1.1
          accept: */*
          accept-encoding: gzip, deflate
          user-agent: spdylay/1.3.2-DEV

and stalling.

[v998]

What is the URL of your site?

From your output I see two URLs. https://www.domain.hu/ this one do not have a working TLS/SSL.

https://www.atlantischild.hu/ This one DO NOT have a NPN extension in the protocol.

Please provide the hostname of your site so I can help you test it out.

[szepeviktor]

Thank you for your answer! The site is https://www.atlantischild.hu/ but it points to the old, non-SSL server. I'll post another comment when DNS will be changed.

BTW. How do you test an SSL webserver before going live?? Qualys' SSL test is only for live sites.

[szepeviktor]

Somehow openssl s_client does not connect with TLSv1.1 and v1.2 but browsers do. And gnutls-cli does.

[v998]

openssl should connect to >TLSv1 check your openssl version

[szepeviktor]

Thank you for your answer.

Now it is live https://www.atlantischild.hu/ and has A+ from Qualys. Suddenly s_clients works. Maybe a DNS issue.

[szepeviktor]

See also: https://spdycheck.org/#atlantischild.hu https://spdycheck.org/#blck.io seem broken also. Missing NPN Extension in SSL/TLS Handshake

[szepeviktor]

I am very sorry. After putting config files to /etc/apache2/modules-available the server got all-green: https://spdycheck.org/#atlantischild.hu

Now stalling at a later point:

src/spdycat -nv https://www.atlantischild.hu/
[  0.003] NPN select next protocol: the remote server offers:
          * spdy/3
          * spdy/2
          * http/1.1
          * x-mod-spdy/0.9.4.1-3bced7d
          NPN selected the protocol: spdy/3
[  0.009] Handshake complete
[  0.009] send SYN_STREAM frame <version=3, flags=1, length=227>
          (stream_id=1, assoc_stream_id=0, pri=3)
          :host: www.atlantischild.hu
          :method: GET
          :path: /
          :scheme: https
          :version: HTTP/1.1
          accept: */*
          accept-encoding: gzip, deflate
          user-agent: spdylay/1.3.2-DEV
[  0.010] recv SETTINGS frame <version=3, flags=0, length=12>
          (niv=1)
          [4(0):100]

And Chrome's SDPY Indicator tells me spdy is disabled. Please help me.

[szepeviktor]

A complete spdycat looks like this:

/root/src/spdylay/src/spdycat -nv https://www.google.com/
[  0.097] NPN select next protocol: the remote server offers:
          * h2-15
          * h2-14
          * spdy/3.1
          * spdy/3
          * http/1.1
          NPN selected the protocol: spdy/3.1
[  0.127] Handshake complete
[  0.128] recv SETTINGS frame <version=3, flags=0, length=20>
          (niv=2)
          [4(1):100]
          [7(0):65536]
[  0.128] recv WINDOW_UPDATE frame <version=3, flags=0, length=8>
          (stream_id=0, delta_window_size=983040)
[  0.128] send SYN_STREAM frame <version=3, flags=1, length=221>
          (stream_id=1, assoc_stream_id=0, pri=3)
          :host: www.google.com
          :method: GET
          :path: /
          :scheme: https
          :version: HTTP/1.1
          accept: */*
          accept-encoding: gzip, deflate
          user-agent: spdylay/1.3.2-DEV
[  0.157] recv SYN_REPLY frame <version=3, flags=0, length=195>
          (stream_id=1)
          :status: 302 Found
          :version: HTTP/1.1
          alternate-protocol: 443:quic,p=0.02
          cache-control: private
          content-length: 257
          content-type: text/html; charset=UTF-8
          date: Mon, 26 Jan 2015 16:47:14 GMT
          location: https://www.google.hu/?gfe_rd=cr&ei=km_GVOiQOMuDUKGZgvAB
          server: GFE/2.0
[  0.158] recv DATA frame (stream_id=1, flags=1, length=257)
[  0.158] send GOAWAY frame <version=3, flags=0, length=8>
          (last_good_stream_id=0)

Note the different order of send SYN_STREAM frame and recv SETTINGS frame.

[v998]

Would you please check or post your apache's error_log ? and i was unable to connect to the domain you stated, chrome said ERR_CONNECTION_TIMED_OUT

[szepeviktor]

I think you have tried in the middle of a node-restart of my VPS provider. Unfortunatelly it was in the middle of the day.

[Tue Jan 27 15:07:54.403797 2015] [spdy:info] [pid 897] [client 79.172.214.123:58931] [mod_spdy/0.9.4.1-3bced7d] [897:897:INFO:mod_spdy.cc(479)] Starting SPDY/3 session
[Tue Jan 27 15:08:00.715895 2015] [spdy:info] [pid 897] [client 79.172.214.123:58931] [mod_spdy/0.9.4.1-3bced7d] [897:897:INFO:mod_spdy.cc(494)] Terminating SPDY/3 session
[Tue Jan 27 15:10:15.381560 2015] [spdy:info] [pid 1147] [client 79.172.214.123:58943] [mod_spdy/0.9.4.1-3bced7d] [1147:1147:INFO:mod_spdy.cc(479)] Starting SPDY/3 session
[Tue Jan 27 15:10:18.554116 2015] [spdy:info] [pid 1147] [client 79.172.214.123:58943] [mod_spdy/0.9.4.1-3bced7d] [1147:1147:INFO:mod_spdy.cc(494)] Terminating SPDY/3 session

While mod_ssl-npn and mod_sdpy was enabled the original Chrome 18 in my Android phone was not able to connect. See the previous comment

[v998]

Check if there is multiple mod_ssl enabled.. especially if there was statically built one and here comes a bad news: Chrome 40 (the mainline version just released) has deprecated support for SPDY/3.0, which is the highest one the mod_spdy can offer. So chrome 40 will not work with SPDY. Only IE11 on Win8 and Firefox will countinue to work with *mod_spdy. I hope mod_spdy team would put some effort on SPDY/3.1, but probably they would not.. Now the only way for using SPDY/3.1 would be using Nginx as a reverse proxy in front of Apache...

*typo fixed

[szepeviktor]

Thank you! https://github.com/tatsuhiro-t/nghttp2 is an interesting alternative. It is very sorry that Apache is not ready for SPDY. I will begin testing nginx.

Do you know a solution for nginx like mpm_itk ? I'd like to run the webserver workers and PHP under a normal user.

[v998]

php under nginx (like PHP-FPM, fastcgi) can run under a normal user.

i don't have any ideas for the webserver workers...

[szepeviktor]

Thank you! I do not dare to install a one-user webserver on a production server with several websites.

For SPDY: http://w3techs.com/technologies/segmentation/ce-spdy/web_server

[v998]

I may misunderstand your question.. I mean PHP under nginx is separate process so it can run as separate users. Nginx, as I know, would run as a user called nginx Btw, remember only use nginx as reverse proxy if you have htaccess!