squirrelfm
commented
10 years ago Fixed by adding DH/ ECDH default parameters when initializing SslContext in OpenSslWrapper code.
Closed squirrelfm closed 10 years ago
squirrelfm
commented
10 years ago Fixed by adding DH/ ECDH default parameters when initializing SslContext in OpenSslWrapper code.
Per latest http2 spec Diffie Helman key exchange is required. Currently our server and Chrome are not able to negotiate this. Chrome advertises other ciphers in its handshake (non DH as well). And our server selects non DH cipher as result.. Than later inside http2 code chrome checks what sec is selected and if in is not DH or elliptic curves DH it throws ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY error.
I can restrict ciphers on server side to DH or ECDH only, but after that chrome and server can not negotiate any suite at all (no_shared_cipher error). I still haven’t find out why this is happens, it seems there is some kind of openssl builds conflict.