Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

HTTP/2 over TLS

Regarding inspection of HTTP/2 over TLS there is the SK116022 but what do you say? Is it valid for 77.20.87 ? Because I have HTTPS Inspection enabled and it does not look like it is inspecting that kind of traffic.

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend

I do not think that SK116022 was valid for 77.20.8x SMB appliances. Also, it suggests to either downgrade the traffic to http/1.1 for SSL Inspection or either drop or allow http/2 without SSL inspection. So it seems there currently is no inspection of HTTP/2 over TLS possible...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
HristoGrigorov

How do I "downgrade" HTTP/2 to HTTP/1.1 ?

0 Kudos
PhoneBoy
Admin
Admin

Enable HTTPS Inspection.
Otherwise you block it using App Control.

Note that HTTP/2 support is planned for R80.40, not sure when it is planned for SMB.
0 Kudos
HristoGrigorov

Hmm, I am a bit confused here. I have HTTPS Inspection enabled and it still logs application name as "HTTP/2 over TLS". Isn't it supposed to recognize the actual app encapsulated inside it ?

Also, what will happen (from user point of view) if I block it? 

0 Kudos
PhoneBoy
Admin
Admin

Are you sure you are HTTPS Inspecting the traffic in question?
We don't yet parse inside HTTP/2 over TLS yet.
The browser should be smart enough to realize HTTP/2 over TLS isn't supported and downgrade to HTTP/1.1 if you block it.
HristoGrigorov

Yes, I am sure HTTPS Inspection is in use. But you are most certainly right. It is decrypting but not parsing it inside. I will block it and see what happens. Thank you.

0 Kudos
HristoGrigorov

No, Blocking does just that. Blocks it. For the connection to be downgraded to HTTP/1.1, SMB must tell the browser HTTP/2 is not supported for this connection. And it is not doing that. So, that's not an option really. Too bad because HTTP/2 connections are becoming more and more common.

0 Kudos
Kaspars_Zibarts
Employee Employee
Employee

Hi! Want to revive this old topic 🙂 We are running R80.40 T120 and most HTTP/2 logs show no actual resource. HTTPS interception is enabled as per my screenshot. Anyone has had better answers than sk116022?

image.png

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events