Contact Support

Customers who viewed this article also viewed

banner icon

Identify Changes in NetScaler build files with

File Integrity Monitoring

Learn More Watch Video
CTX230833 {{tooltipText}}

HTTP2 Negotiation in NetScaler over TLS1.2

Applicable Products

  • NetScaler

Information

The HTTP/2 protocol addresses the limitations in HTTP1.1 by allowing communication to occur with less data transmitted over the network, and providing the ability to send multiple requests and responses across a single connection. At its core, HTTP/2 addresses the key limitations of HTTP/1.1 by using the underlying network connections more efficiently. It changes the way requests and responses travel over the network.

 

HTTP2 protocol supportability will be negotiated in the SSL handshake between the client and the NetScaler. In the client hello packet the client will send an extension header  "application_layer_protocol_negotiation". This header will contain the information of the supported HTTP versions.

 

 Extension: application_layer_protocol_negotiation (len=14)

                Type: application_layer_protocol_negotiation (16)

                Length: 14

                ALPN Extension Length: 12

                ALPN Protocol

                    ALPN string length: 2

                    ALPN Next Protocol: h2

                    ALPN string length: 8

                    ALPN Next Protocol: http/1.1

 

HTTP/2 over TLS uses the "h2" protocol identifier.  The "h2c" protocol identifier MUST NOT be sent by a client or selected by a server; the "h2c" protocol identifier describes a protocol that does not use TLS.

When the NetScaler sends the Server Hello packet it will be having the same "application_layer_protocol_negotiation" extension header in which it will mention the ALPN protocol which it selects.

 

 Extension: application_layer_protocol_negotiation (len=5)

                Type: application_layer_protocol_negotiation (16)

                Length: 5

                ALPN Extension Length: 3

                ALPN Protocol

                    ALPN string length: 2

                    ALPN Next Protocol: h2

 

If NetScaler does not support the HTTP2 negotiation then the NetScaler will send the server hello with the "application_layer_protocol_negotiation" extension header which will have ALPN protocol value as  http/1.1

 

       Extension: application_layer_protocol_negotiation (len=11)

                Type: application_layer_protocol_negotiation (16)

                Length: 11

                ALPN Extension Length: 9

                ALPN Protocol

                    ALPN string length: 8

                    ALPN Next Protocol: http/1.1

A deployment of HTTP/2 over TLS 1.2 SHOULD NOT use any of the cipher suites that are listed in the cipher suite black list. This blacklist of ciphers are mentioned in https://tools.ietf.org/html/rfc7540#appendix-A

As per the RFC7540 Deployments of HTTP/2 that use TLS1.2 MUST support TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 with the P-256 elliptic curve. . In short the NetScaler should be configured in a such a way that it must accept the TLS1.2 ECDHE ciphers so that the server hello which is sent from the NetScaler must have an ECDHE cipher selected. Then only the NetScaler will send the "application_layer_protocol_negotiation" header value as HTTP/2