How to enable http2 using spring boot and tomcat without SSL configuration
Asked Answered
S

1

6

I have enabled HTTP 2.0 in Spring boot 2.1.2 and Tomcat with SSL using below configuration in application.property file -

server.port=8443
server.http2.enabled=true
security.require-ssl=true
server.ssl.key-store-type=PKCS12
server.ssl.key-store=classpath:.keystore
server.ssl.key-store-password=xxxxxx
erver.ssl.key-alias=test

It is working fine, I can see the http version is printed as "HTTP/2.0" and also in Chrome DevTool is shows h2. BUT on disabling the SSL, http version turns to 1.1.

Is http 2.0 supports without SSL (https). If supports, how to configure?

Sigma answered 31/1, 2019 at 5:43 Comment(1)
https://mcmap.net/q/1913575/-enable-http2-with-tomcat-in-spring-boot. Possible duplicate.Manutius
K
4

Browsers only support HTTP/2 over SSL/TLS. This is for both practical and ideological reasons.

On a practical side, wrapping the packets in HTTPS makes it much less likely that infrastructure that is not HTTP/2 aware will fail to cope with the new protocol. Microsoft were the only browser that said they would allow unencrypted HTTP/2 but even they didn’t in the end (apparently after seeing connection errors). HTTP/2 can also be negotiated as part of the TLS handshake which saves time upgrading to HTTP/2.

On an ideological side there is a recognition that all web traffic should be encrypted for security and privacy reasons and so browsers are encouraging HTTPS use (or to be more accurate they are discouraging plain HTTP use) but restricting access to some new features like HTTP/2 to HTTPS connections only.

Even if browsers only support HTTP/2 over HTTPS, the protocol itself does not mandate this. This allows HTTP/2 to be used over back end connections if you terminate HTTPS at the edge node for example. The idea you are more in control of this traffic than the open internet that a browser typically runs over. So you can test your set up with curl for example to check if unencrypted HTTP/2 works (assuming you have a recent version of curl with this support):

curl --http2-prior-knowledge -v http://www.example.com

Though the usefulness of this test is debatable if you do want this for browser access.

Keenan answered 31/1, 2019 at 10:32 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.