Downgrade to HTTP/1.1 on older Windows versions #22859
Conversation
ghost
added
the
src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Outdated
Show resolved
Hide resolved
src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Outdated
Show resolved
Hide resolved
|
@Tratcher I'm guessing the only testing we are going to need to do here is test it out on a Windows 8 machine? |
src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Outdated
Show resolved
Hide resolved
src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Outdated
Show resolved
Hide resolved
|
We don't run any tests on Windows 7/Windows 8 anywhere in our CI, public or private. @HaoK I remember we removed all the different OSes from our Helix runs, is there a plan to ever bring those back? |
|
You should still these on the helix-matrix runs that run in master: https://dev.azure.com/dnceng/public/_build?definitionId=837 You can also turn them on in your PR if you want if you flip https://github.com/dotnet/aspnetcore/blob/master/.azure/pipelines/helix-matrix.yml#L34 |
|
Ah that's the missing piece, I couldn't find where the win7/win81 queues were being run so I thought we weren't running them at all. As long as we're running them somewhere I'll add tests. |
|
Hard to track down test status but according to https://helix.dot.net/api/2019-06-17/jobs/4e6d3e82-7d9a-4b49-928c-edea02bacab0/workitems/InMemory.FunctionalTests--net5.0/console the tests are passing. I'm going to also use this PR to fix/skip a bunch of tests on Windows 7/8 |
JunTaoLuo
force-pushed
the
johluo/http2-downgrade
branch
2 times, most recently
from
687d225 to
c637623
Compare
|
Given the tests were verified in https://dev.azure.com/dnceng/public/_build/results?buildId=686284&view=results with remaining test failures on helix caused by unrelated issues: #22917. I'm marking this PR as ready. |
src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
Outdated
Show resolved
Hide resolved
| // This configuration will always fail per-request, preemptively fail it here. See HttpConnection.SelectProtocol(). | ||
| if (options.HttpProtocols == HttpProtocols.Http2) | ||
| { | ||
| if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) | ||
| { | ||
| throw new NotSupportedException(CoreStrings.HTTP2NoTlsOsx); | ||
| } | ||
| else if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && Environment.OSVersion.Version < new Version(6, 2)) |
There was a problem hiding this comment.
Is there any risk that someone got ALPN working on Windows 8 somehow and this change breaks them despite the AppContext switch?
There was a problem hiding this comment.
This probably warrants a breaking changes announcement.
There was a problem hiding this comment.
This definitely warrants a breaking change announcement.
If someone does have ALPN working on Windows 8, changing < new Version(6, 2) to < new Version(6, 3) would completely break them and not even the AppContext switch would work around the issue.
There was a problem hiding this comment.
ALPN support was added in Windows 8.1 so I don't think that was ever a scenario that worked. I made the change since I noticed that Windows 8.1 which was where ALPN support was first added is version 6.3 instead of 6.2. Unless there was an actual reason for allowing Http2 on Windows 8?
There was a problem hiding this comment.
No reason to allow it on Win8 without ALPN, it's the same as Win7.
| @@ -605,6 +602,12 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l | |||
| <data name="HttpsConnectionEstablished" xml:space="preserve"> | |||
| <value>Connection "{connectionId}" established using the following protocol: {protocol}</value> | |||
| </data> | |||
| <data name="HTTP2DefaultCiphersInsufficient" xml:space="preserve"> | |||
| <value>HTTP/2 over TLS is not supported on Windows versions older than Windows 10 and Windows Server 2016 due to incompatible ciphers or missing ALPN support. Falling back to HTTP/1.1 instead.</value> | |||
There was a problem hiding this comment.
Should we mention how to change the enabled ciphers and re-enable HTTP/2 on older Windows versions?
There was a problem hiding this comment.
I think the best we can do is get a aka.ms link to something like https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-8-1, would that be sufficient?
There was a problem hiding this comment.
A breaking change announcement should be sufficient. We can follow up with anyone that's actually trying to make it work.
src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Outdated
Show resolved
Hide resolved
src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Outdated
Show resolved
Hide resolved
src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Outdated
Show resolved
Hide resolved
src/Servers/Kestrel/test/InMemory.FunctionalTests/HttpsConnectionMiddlewareTests.cs
Show resolved
Hide resolved
JunTaoLuo
force-pushed
the
johluo/http2-downgrade
branch
from
cc38498 to
c883fb2
Compare
| @@ -605,6 +602,12 @@ For more information on configuring HTTPS see https://go.microsoft.com/fwlink/?l | |||
| <data name="HttpsConnectionEstablished" xml:space="preserve"> | |||
| <value>Connection "{connectionId}" established using the following protocol: {protocol}</value> | |||
| </data> | |||
| <data name="HTTP2DefaultCiphersInsufficient" xml:space="preserve"> | |||
| <value>HTTP/2 over TLS is not supported on Windows versions older than Windows 10 and Windows Server 2016 due to incompatible ciphers or missing ALPN support. Falling back to HTTP/1.1 instead.</value> | |||
There was a problem hiding this comment.
A breaking change announcement should be sufficient. We can follow up with anyone that's actually trying to make it work.
| // This configuration will always fail per-request, preemptively fail it here. See HttpConnection.SelectProtocol(). | ||
| if (options.HttpProtocols == HttpProtocols.Http2) | ||
| { | ||
| if (RuntimeInformation.IsOSPlatform(OSPlatform.OSX)) | ||
| { | ||
| throw new NotSupportedException(CoreStrings.HTTP2NoTlsOsx); | ||
| } | ||
| else if (RuntimeInformation.IsOSPlatform(OSPlatform.Windows) && Environment.OSVersion.Version < new Version(6, 2)) |
There was a problem hiding this comment.
No reason to allow it on Win8 without ALPN, it's the same as Win7.
src/Servers/Kestrel/Core/src/Middleware/HttpsConnectionMiddleware.cs
Outdated
Show resolved
Hide resolved
This applies to any versions strictly older than Windows 10 or Windows Server 2016
Co-authored-by: Chris Ross <[email protected]>
…are.cs Co-authored-by: Chris Ross <[email protected]>
…ionMiddlewareTests.cs Co-authored-by: Chris Ross <[email protected]>
JunTaoLuo
force-pushed
the
johluo/http2-downgrade
branch
from
2385f27 to
6f56163
Compare
|
Could you downport this to the 3.1 LTS? |
|
@ulrichb the workaround is to disable HTTP/2. Issues with a simple workaround don't usually qualify for downports. |
amcasey
added
area-networking
Addresses #16811