<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>So, I don't run the NGINX webserver, but I am pretty sure this is
on the remote server to serve the protocol right. SSLLabs test
shows that TLS 1.3 is just not offered.</p>
<p><a class="moz-txt-link-freetext" href="https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&s=3.125.197.172&latest">https://www.ssllabs.com/ssltest/analyze.html?d=nginx.org&s=3.125.197.172&latest</a></p>
<p>There's three other IPs (one IPv4 and two IPv6) that will very
likely reflect the same tests as well.</p>
<p>So to answer your original question:</p>
<p> > What have I done wrong or if it is your problem?</p>
<p>You didn't do anything wrong. TLS 1.2 is the only protocol
that's offered for SSL/TLS connections to the nginx.org site.</p>
<p><br>
</p>
<p>Thomas</p>
<p><br>
</p>
<div class="moz-cite-prefix">On 1/21/21 11:50 PM, David Hu wrote:<br>
</div>
<blockquote type="cite"
cite="mid:3sKUHtYAkB6vic9kPIn0KL3Lx95zSLH1ENcxBJPZ3NzuMHrOaysqXzZ51mea2dGSrcglw-KUXemjwJT3PVS4a4hUQNFleOWNG88Sk5nIZMc=@protonmail.ch">
<pre class="moz-quote-pre" wrap="">So I have to downgrade to TLS v1.2. The full command input and the connection process can be shown as follows:
./curl -vvvvv --http2-prior-knowledge --tlsv1.2 <a class="moz-txt-link-freetext" href="https://nginx.org">https://nginx.org</a>
* Trying 52.58.199.22:443...
* Connected to nginx.org (52.58.199.22) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: D:\curl-7.74.0_2-win64-mingw\bin\curl-ca-bundle.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=nginx.org
* start date: Oct 29 16:45:05 2020 GMT
* expire date: Jan 27 16:45:05 2021 GMT
* subjectAltName: host "nginx.org" matched cert's "nginx.org"
* issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
* SSL certificate verify ok.
</pre>
<blockquote type="cite">
<pre class="moz-quote-pre" wrap="">GET / HTTP/1.1
Host: nginx.org
User-Agent: curl/7.74.0
Accept: */*
</pre>
</blockquote>
<pre class="moz-quote-pre" wrap="">* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.19.0
< Date: Fri, 22 Jan 2021 04:43:32 GMT
< Content-Type: text/html; charset=utf-8
< Content-Length: 12676
< Last-Modified: Tue, 15 Dec 2020 14:58:52 GMT
< Connection: keep-alive
< Keep-Alive: timeout=15
< ETag: "5fd8cf2c-3184"
< Accept-Ranges: bytes
<
So I neogotiate with your server to force use HTTP/2 (i.e. H2) and ALPN is offering H2 and HTTP/1.1 but at the finally I only get the HTTP version HTTP/1.1 not H2. The same cURL specs and versions and specs as the above message. What have I done wrong or if it is your problem?
Thanks again.
Regards,</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
nginx mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nginx@nginx.org">nginx@nginx.org</a>
<a class="moz-txt-link-freetext" href="http://mailman.nginx.org/mailman/listinfo/nginx">http://mailman.nginx.org/mailman/listinfo/nginx</a></pre>
</blockquote>
</body>
</html>