AW: HTTP/2 without forward secrecy (Diffie-Hellman)

Lukas Tribus luky-37 at hotmail.com
Mon Aug 15 13:04:21 UTC 2016


Hi,


> for a test environment I successfully set up an nginx webserver (1.11.2) 
> with HTTP/2.
> 
> But for further tests I need to decrypt traffic with wireshark using the 
> servers private key.

The way to do this is to use keyfile from your browser, so wireshark is aware of the symmetric key used for the session. See [1] and [2].



> For that I need to disable forward secrecy (since it is only a test 
> environment security is not an issue)
> 
> So I changed the "ssl_ciphers" in my /sites-enabled/default file from:
> 
> ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
> into
> ssl_ciphers "AES128-SHA";

This cannot work, HTTP/2.0 only always certain ciphers [3]. The fact the it works in Apache means Apache violates the RFC.

Also see nginx manual [4].



Regards,

Lukas


[1] https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
[2] https://wiki.wireshark.org/SSL
[3] http://http2.github.io/http2-spec/#TLSUsage
[4] http://nginx.org/en/docs/http/ngx_http_v2_module.html#example



More information about the nginx mailing list