AW: HTTP/2 without forward secrecy (Diffie-Hellman)

Lukas Tribus luky-37 at
Mon Aug 15 13:04:21 UTC 2016


> for a test environment I successfully set up an nginx webserver (1.11.2) 
> with HTTP/2.
> But for further tests I need to decrypt traffic with wireshark using the 
> servers private key.

The way to do this is to use keyfile from your browser, so wireshark is aware of the symmetric key used for the session. See [1] and [2].

> For that I need to disable forward secrecy (since it is only a test 
> environment security is not an issue)
> So I changed the "ssl_ciphers" in my /sites-enabled/default file from:
> ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
> into
> ssl_ciphers "AES128-SHA";

This cannot work, HTTP/2.0 only always certain ciphers [3]. The fact the it works in Apache means Apache violates the RFC.

Also see nginx manual [4].




More information about the nginx mailing list