Hi.

Am 27-09-2015 23:49, schrieb SplitIce:
> Hi All,
>
> Yesterday we discovered a possible compatibility issue with a certain
> configuration, HTTP2 and Firefox. This configuration works successfully
> in Chrome and other HTTP2 enabled browsers, however Firefox users are
> unable to connect (connection reset).
>
> The pertinent part of the configuration is a port with SSLv3 enabled in
> the supported protocols (risk associated with POODLE attack has been
> accounted and mitigated for separately).

Please can you post the output of 'nginx -V' and a anonymized config.

which version of firefox is in use?

Firefox have deactivated sslv3 by default.
https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
https://www.mozilla.org/en-US/firefox/34.0/releasenotes/

Disabled SSLv3

What shows this output of "Protocol Features" for your client?
https://www.ssllabs.com/ssltest/viewMyClient.html

Which value have 'about:config' => security.tls.version.min ?

> Test configuration:
>
> server {
> listen 443 ssl http2;
> ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
> [...]
> }
>
> Connect with Firefox (fail), connect with Chrome (pass).

Is it possible to use http2 with sslv3?!
http://nginx.org/en/docs/http/ngx_http_v2_module.html

##### cite from above link
Note that accepting HTTP/2 connections over TLS requires the
“Application-Layer Protocol Negotiation” (ALPN) TLS extension support,
which is available only since OpenSSL version 1.0.2. Using the “Next
Protocol Negotiation” (NPN) TLS extension for this purpose (available
since OpenSSL version 1.0.1) is not guaranteed.
#####

What show the firefox network analyzer tool?
https://developer.mozilla.org/en-US/docs/Tools/Network_Monitor

Is it possible to use debug log?
http://nginx.org/en/docs/debugging_log.html

> Regards,
> Mathew

Cheers
Aleks

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel