AW: HTTP/2 without forward secrecy (Diffie-Hellman)
luky-37 at hotmail.com
Mon Aug 15 13:04:21 UTC 2016
> for a test environment I successfully set up an nginx webserver (1.11.2)
> with HTTP/2.
> But for further tests I need to decrypt traffic with wireshark using the
> servers private key.
The way to do this is to use keyfile from your browser, so wireshark is aware of the symmetric key used for the session. See  and .
> For that I need to disable forward secrecy (since it is only a test
> environment security is not an issue)
> So I changed the "ssl_ciphers" in my /sites-enabled/default file from:
> ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
> ssl_ciphers "AES128-SHA";
This cannot work, HTTP/2.0 only always certain ciphers . The fact the it works in Apache means Apache violates the RFC.
Also see nginx manual .
More information about the nginx