Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Platinum

HTTP/2 over TLS

Regarding inspection of HTTP/2 over TLS there is the SK116022 but what do you say? Is it valid for 77.20.87 ? Because I have HTTPS Inspection enabled and it does not look like it is inspecting that kind of traffic.

0 Kudos
7 Replies
Highlighted
Sapphire

I do not think that SK116022 was valid for 77.20.8x SMB appliances. Also, it suggests to either downgrade the traffic to http/1.1 for SSL Inspection or either drop or allow http/2 without SSL inspection. So it seems there currently is no inspection of HTTP/2 over TLS possible...

0 Kudos
Highlighted
Platinum

How do I "downgrade" HTTP/2 to HTTP/1.1 ?

0 Kudos
Highlighted
Admin
Admin

Enable HTTPS Inspection.
Otherwise you block it using App Control.

Note that HTTP/2 support is planned for R80.40, not sure when it is planned for SMB.
0 Kudos
Highlighted
Platinum

Hmm, I am a bit confused here. I have HTTPS Inspection enabled and it still logs application name as "HTTP/2 over TLS". Isn't it supposed to recognize the actual app encapsulated inside it ?

Also, what will happen (from user point of view) if I block it? 

0 Kudos
Highlighted
Admin
Admin

Are you sure you are HTTPS Inspecting the traffic in question?
We don't yet parse inside HTTP/2 over TLS yet.
The browser should be smart enough to realize HTTP/2 over TLS isn't supported and downgrade to HTTP/1.1 if you block it.
Highlighted
Platinum

Yes, I am sure HTTPS Inspection is in use. But you are most certainly right. It is decrypting but not parsing it inside. I will block it and see what happens. Thank you.

0 Kudos
Highlighted
Platinum

No, Blocking does just that. Blocks it. For the connection to be downgraded to HTTP/1.1, SMB must tell the browser HTTP/2 is not supported for this connection. And it is not doing that. So, that's not an option really. Too bad because HTTP/2 connections are becoming more and more common.

0 Kudos