On 24/09/2015 13:30, Konstantin Kolinko wrote: > 2015-09-24 14:58 GMT+03:00 <ma...@apache.org>: >> Author: markt >> Date: Thu Sep 24 11:58:05 2015 >> New Revision: 1705039 >> >> URL: http://svn.apache.org/viewvc?rev=1705039&view=rev >> Log: >> Update notes for running Tomcat with HTTP/2 support. >> >> Modified: >> tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java >> >> Modified: tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java >> URL: >> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java?rev=1705039&r1=1705038&r2=1705039&view=diff >> ============================================================================== >> --- tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java >> (original) >> +++ tomcat/trunk/java/org/apache/coyote/http2/Http2UpgradeHandler.java Thu >> Sep 24 11:58:05 2015 >> @@ -64,10 +64,8 @@ import org.apache.tomcat.util.res.String >> * <br> >> * Note: >> * <ul> >> - * <li>Unless Tomcat is configured with an ECC certificate, FireFox (tested >> with >> - * v37.0.2) needs to be configured with >> - * network.http.spdy.enforce-tls-profile=false in order for FireFox to >> be >> - * able to connect.</li> >> + * <li>Tomcat needs to be configured with honorCipherOrder="false" otherwise >> + * Tomcat will prefer a cipher suite that is blacklisted by HTTP/2.</li> > > The above is odd. Note that "false" is the default.
No it isn't. The default is true in 9.0.x. > When it is "true" , you can reorder cipher suites at server side to > avoid blacklisted ones to be selected by moving them to the end. Indeed. > Shouldn't strong ciphers be at the start of the default/recommended > list? That gets you into the speed / security trade-off argument. I'm not against tweaking the current default cipher list so HTTP/2 works out of the box in 9.0.x. I just haven't got around to doing it. > When it is "false", you can change cipher suites at server side to > omit the blacklisted ones. No need. The client gives the non-blacklisted ones priority so it works anyway. Mark > >> * <li>You will need to nest an <UpgradeProtocol >> * className="org.apache.coyote.http2.Http2Protocol" /> element >> inside >> * a TLS enabled Connector element in server.xml to enable HTTP/2 >> support. > > Best regards, > Konstantin Kolinko > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
