Server negotiated HTTP/2 with blacklisted suite

Symptoms

  • HTTP/2 support is enabled on a sever.
  • When trying to analyze a domain at SSLLabs the following error is reported:

    Server negotiated HTTP/2 with blacklisted suite RSA 2048 (SHA256) | TLS 1.2 > h2 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | ECDH secp256r1 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA is blacklisted for HTTP/2.

Cause

An nginx misconfiguration – blacklisted ciphers are used prior to acceptable ones.

Blacklisted ciphers exist in the default configuration because the configuration is common for both HTTP v1 clients and HTTP v2 clients. If the ciphers blacklisted for HTTP v2 are removed, then some (old) HTTP v1 clients would not be able to connect via HTTP v1. Therefore these ciphers are not removed, but moved to the end of the (ordered) list.

Resolution

  1. Connect to the server using SSH.
  2. Re-enable HTTP/2 support:

    # /usr/local/psa/bin/http2_pref enable