AW: HTTP/2 without forward secrecy (Diffie-Hellman)
Lukas Tribus
luky-37 at hotmail.com
Mon Aug 15 13:04:21 UTC 2016
Hi,
> for a test environment I successfully set up an nginx webserver (1.11.2)
> with HTTP/2.
>
> But for further tests I need to decrypt traffic with wireshark using the
> servers private key.
The way to do this is to use keyfile from your browser, so wireshark is aware of the symmetric key used for the session. See [1] and [2].
> For that I need to disable forward secrecy (since it is only a test
> environment security is not an issue)
>
> So I changed the "ssl_ciphers" in my /sites-enabled/default file from:
>
> ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
> into
> ssl_ciphers "AES128-SHA";
This cannot work, HTTP/2.0 only always certain ciphers [3]. The fact the it works in Apache means Apache violates the RFC.
Also see nginx manual [4].
Regards,
Lukas
[1] https://jimshaver.net/2015/02/11/decrypting-tls-browser-traffic-with-wireshark-the-easy-way/
[2] https://wiki.wireshark.org/SSL
[3] http://http2.github.io/http2-spec/#TLSUsage
[4] http://nginx.org/en/docs/http/ngx_http_v2_module.html#example
More information about the nginx
mailing list