Tomcat 8.5 - HTTP2 是否需要证书/SSL

Question

我找到了 Http2Protocol文档，它不支持 HTTPS？

Some protocols (e.g. HTTP/2) only support HTTP upgrade over non-secure connections.

这是一个拼写错误，还是我在使用 Tomcat HTTP2 时必须使用 HTTP 而不是 HTTPS 还是我遗漏了什么？

因为我添加了UpgradeProtocol到

<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />

对于 HTTP 连接器:

<Connector port="8080" protocol="HTTP/1.1"
           connectionTimeout="20000"/>

并使用-Xbootclasspath/p:/path/to/alpn-boot.jar将相关的alpn jar添加到JAVA_OPT

但是没有找到匹配的规则:

org.apache.tomcat.util.digester.Digester.endElement   No rules found matching 'Server/Service/UpgradeProtocol'.

我还尝试添加到连接器 openssl implementation但结果相同

sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"

Because Java 8's TLS implementation does not support ALPN (which is required for HTTP/2 over TLS), you must be using an OpenSSL based TLS implementation to enable HTTP/2 support. See the sslImplementationName attribute of the Connector

我必须为 HTTP2 使用证书/SSL 吗？

Answer 1

加密是de facto mandatory使用 http/2:

Although the standard itself does not require usage of encryption, all major client implementations (Firefox, Chrome, Safari, Opera, IE, Edge) have stated that they will only support HTTP/2 over TLS ...

因此，您需要一个带有Certificate 的完全配置的SSLHostConfig，以便通过 TLS 运行 HTTP/2。

这样的连接器可能适合您:

<Connector SSLEnabled="true" maxThreads="150" port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true"
    sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
    <SSLHostConfig certificateVerification="none"
        sslProtocol="TLS">
        <Certificate certificateKeyAlias="myKeyAlias"
            certificateKeystoreFile="/path/to/my/keystore.jks"
            certificateKeystorePassword="myPassword"
            certificateKeystoreType="JKS">
        </Certificate>
    </SSLHostConfig>
    <UpgradeProtocol
        className="org.apache.coyote.http2.Http2Protocol" />
</Connector>

如果你想使用 NIO2，将 protocol 更改为 org.apache.coyote.http11.Http11Nio2Protocol。

如果您想在没有 OpenSSL 的情况下使用 SSL，而是使用 java 实现 JSSE，请更改 sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"(如果您的 JRE 提供了).

---

尽管浏览器不会在未加密的连接上升级到 http/2，但在技术上可以在没有 SSL 的 Apache Tomcat 上配置 http/2 连接器并使用它，例如使用 CURL - 手动执行 http/2 升级:

<Connector SSLEnabled="false" maxThreads="150" port="8444" protocol="org.apache.coyote.http11.Http11NioProtocol" secure="false">
    <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>

CURL 调试输出:

$ curl http://localhost:8444 -v --http2
...
* Connected to localhost (::1) port 8444 (#0)
> GET / HTTP/1.1
> Host: localhost:8444
> User-Agent: curl/7.60.0
> Accept: */*
> Connection: Upgrade, HTTP2-Settings
> Upgrade: h2c
> HTTP2-Settings: AAMAAABkAARAAAAAAAIAAAAA
>
< HTTP/1.1 101
< Connection: Upgrade
< Upgrade: h2c
< Date: Mon, 28 Oct 2019 12:06:18 GMT
* Received 101
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Connection state changed (MAX_CONCURRENT_STREAMS == 200)!
< HTTP/2 200
< content-type: text/html;charset=UTF-8
< date: Mon, 28 Oct 2019 12:06:18 GMT
<